From f9301e0fe52313581920026a186955c78fcbe831 Mon Sep 17 00:00:00 2001
From: Cullum Smith <cullum@sacredheartsc.com>
Date: Tue, 22 Oct 2024 22:01:49 -0400
Subject: zfs autosnapshots, syncthing, pam cleanup

---
 files/etc/cron.d/zfs-autosnapshot.freebsd          |   5 +
 files/etc/cron.d/zfs-trim.freebsd                  |   1 -
 files/etc/cron.d/zfs.freebsd                       |   2 +
 files/etc/login.access.freebsd                     |  13 ++
 files/etc/pam.d/kde.freebsd                        |   2 +-
 files/etc/pam.d/login.freebsd                      |   3 +-
 files/etc/pam.d/other.freebsd                      |   8 ++
 files/etc/pam.d/sddm.freebsd                       |   3 +-
 files/etc/pam.d/sshd.freebsd                       |   4 +-
 files/etc/pam.d/su.freebsd                         |  10 ++
 files/etc/pam.d/sudo.freebsd                       |   3 +-
 files/etc/pam.d/system.freebsd                     |   8 ++
 files/etc/pf.conf.nfs_server                       |  52 ++++++++
 files/usr/local/etc/nginx/vhosts.conf.nfs_server   |  38 ++++++
 .../local/etc/poudriere.d/pkglist.pkg_repository   |   3 +
 files/usr/local/etc/rc.d/syncthing_user.nfs_server |  86 ++++++++++++++
 .../local/etc/syncthing.template.xml.nfs_server    | 131 +++++++++++++++++++++
 files/usr/share/skel/dot.login.freebsd             |   4 +
 files/usr/share/skel/dot.profile.freebsd           |   6 +
 files/usr/share/skel/dot.shrc.freebsd              |  19 +++
 20 files changed, 393 insertions(+), 8 deletions(-)
 create mode 100644 files/etc/cron.d/zfs-autosnapshot.freebsd
 delete mode 100644 files/etc/cron.d/zfs-trim.freebsd
 create mode 100644 files/etc/cron.d/zfs.freebsd
 create mode 100644 files/etc/login.access.freebsd
 create mode 100644 files/etc/pam.d/other.freebsd
 create mode 100644 files/etc/pam.d/su.freebsd
 create mode 100644 files/etc/pam.d/system.freebsd
 create mode 100644 files/etc/pf.conf.nfs_server
 create mode 100644 files/usr/local/etc/nginx/vhosts.conf.nfs_server
 create mode 100644 files/usr/local/etc/rc.d/syncthing_user.nfs_server
 create mode 100644 files/usr/local/etc/syncthing.template.xml.nfs_server
 create mode 100644 files/usr/share/skel/dot.login.freebsd
 create mode 100644 files/usr/share/skel/dot.profile.freebsd
 create mode 100644 files/usr/share/skel/dot.shrc.freebsd

(limited to 'files')

diff --git a/files/etc/cron.d/zfs-autosnapshot.freebsd b/files/etc/cron.d/zfs-autosnapshot.freebsd
new file mode 100644
index 0000000..0cc1e3b
--- /dev/null
+++ b/files/etc/cron.d/zfs-autosnapshot.freebsd
@@ -0,0 +1,5 @@
+15,30,45 * * * * root /usr/local/sbin/zfs-auto-snapshot frequent  4
+0        * * * * root /usr/local/sbin/zfs-auto-snapshot hourly   24
+7        0 * * * root /usr/local/sbin/zfs-auto-snapshot daily     7
+14       0 * * 7 root /usr/local/sbin/zfs-auto-snapshot weekly    4
+28       0 1 * * root /usr/local/sbin/zfs-auto-snapshot monthly  12
diff --git a/files/etc/cron.d/zfs-trim.freebsd b/files/etc/cron.d/zfs-trim.freebsd
deleted file mode 100644
index 80e0cd5..0000000
--- a/files/etc/cron.d/zfs-trim.freebsd
+++ /dev/null
@@ -1 +0,0 @@
-@weekly root zpool list -Ho name | xargs -r -n1 zpool trim
diff --git a/files/etc/cron.d/zfs.freebsd b/files/etc/cron.d/zfs.freebsd
new file mode 100644
index 0000000..477f1df
--- /dev/null
+++ b/files/etc/cron.d/zfs.freebsd
@@ -0,0 +1,2 @@
+@weekly root zpool list -Ho name | xargs -r -n1 zpool trim
+@monthly root zpool list -Ho name | xargs -r zpool scrub
diff --git a/files/etc/login.access.freebsd b/files/etc/login.access.freebsd
new file mode 100644
index 0000000..e6667db
--- /dev/null
+++ b/files/etc/login.access.freebsd
@@ -0,0 +1,13 @@
+# Always allow root logins.
++:root:ALL
+
+$(if [ -n "${login_access_groups:-}" ] || [ -n "${login_access_users:-}" ]; then
+  printf -- '-:ALL EXCEPT '
+if [ -n "${login_access_groups:-}" ]; then
+  printf    '(%s) ' ${login_access_groups}
+fi
+if [ -n "${login_access_users:-}" ]; then
+  printf    '%s ' ${login_access_users}
+fi
+  printf    ':ALL\n'
+fi)
diff --git a/files/etc/pam.d/kde.freebsd b/files/etc/pam.d/kde.freebsd
index 8f87b98..cb89294 100644
--- a/files/etc/pam.d/kde.freebsd
+++ b/files/etc/pam.d/kde.freebsd
@@ -1,5 +1,5 @@
 auth      required    /usr/local/lib/security/pam_krb5.so try_first_pass
 
 account   required    /usr/local/lib/security/pam_krb5.so
-account   required    pam_login_access.so
+account   required    pam_login_access.so nodefgroup
 account   required    pam_unix.so
diff --git a/files/etc/pam.d/login.freebsd b/files/etc/pam.d/login.freebsd
index 164fcb0..ae50bbe 100644
--- a/files/etc/pam.d/login.freebsd
+++ b/files/etc/pam.d/login.freebsd
@@ -5,12 +5,13 @@ auth      required    pam_unix.so   no_warn try_first_pass nullok
 account   requisite   pam_securetty.so
 account   required    pam_nologin.so
 account   required    /usr/local/lib/security/pam_krb5.so
-account   required    pam_login_access.so
+account   required    pam_login_access.so nodefgroup
 account   required    pam_unix.so
 
 session   required    pam_lastlog.so    no_fail
 session   required    pam_xdg.so
 session   required    /usr/local/lib/security/pam_krb5.so
+session   optional    /usr/local/lib/pam_mkhomedir.so mode=0700
 
 password  sufficient  /usr/local/lib/security/pam_krb5.so try_first_pass
 password  required    pam_unix.so no_warn try_first_pass
diff --git a/files/etc/pam.d/other.freebsd b/files/etc/pam.d/other.freebsd
new file mode 100644
index 0000000..38db8c5
--- /dev/null
+++ b/files/etc/pam.d/other.freebsd
@@ -0,0 +1,8 @@
+auth      required  pam_unix.so no_warn try_first_pass
+
+account   required  pam_nologin.so
+account   required  pam_unix.so
+
+session   required  pam_permit.so
+
+password  required  pam_permit.so
diff --git a/files/etc/pam.d/sddm.freebsd b/files/etc/pam.d/sddm.freebsd
index 6a75823..c222750 100644
--- a/files/etc/pam.d/sddm.freebsd
+++ b/files/etc/pam.d/sddm.freebsd
@@ -10,12 +10,13 @@ auth      optional    pam_kwallet5.so
 account   requisite   pam_securetty.so
 account   required    pam_nologin.so
 account   required    /usr/local/lib/security/pam_krb5.so
-account   required    pam_login_access.so
+account   required    pam_login_access.so nodefgroup
 account   required    pam_unix.so
 
 session   required    pam_lastlog.so no_fail
 session   required    pam_xdg.so no_fail
 session   required    /usr/local/lib/security/pam_krb5.so
+session   optional    /usr/local/lib/pam_mkhomedir.so mode=0700
 session   optional    pam_kwallet5.so auto_start
 
 password  required    /usr/local/lib/security/pam_krb5.so try_first_pass
diff --git a/files/etc/pam.d/sshd.freebsd b/files/etc/pam.d/sshd.freebsd
index 559a980..1f81b48 100644
--- a/files/etc/pam.d/sshd.freebsd
+++ b/files/etc/pam.d/sshd.freebsd
@@ -3,11 +3,11 @@ auth      required    pam_unix.so no_warn try_first_pass
 
 account   required    pam_nologin.so
 account   required    /usr/local/lib/security/pam_krb5.so
-account   required    pam_login_access.so
+account   required    pam_login_access.so nodefgroup
 account   required    pam_unix.so
 
 session   required    /usr/local/lib/security/pam_krb5.so
-session   required    pam_permit.so
+session   required    /usr/local/lib/pam_mkhomedir.so mode=0700
 
 password  sufficient  /usr/local/lib/security/pam_krb5.so try_first_pass
 password  required    pam_unix.so no_warn try_first_pass
diff --git a/files/etc/pam.d/su.freebsd b/files/etc/pam.d/su.freebsd
new file mode 100644
index 0000000..0bd3ea0
--- /dev/null
+++ b/files/etc/pam.d/su.freebsd
@@ -0,0 +1,10 @@
+auth     sufficient  pam_rootok.so no_warn
+auth     sufficient  pam_self.so no_warn
+auth     requisite   pam_group.so no_warn group=wheel root_only fail_safe ruser
+auth     sufficient  /usr/local/lib/security/pam_krb5.so try_first_pass
+auth     required    pam_unix.so no_warn try_first_pass nullok
+
+account  required    /usr/local/lib/security/pam_krb5.so
+account  required    pam_unix.so
+
+session  required    pam_permit.so
diff --git a/files/etc/pam.d/sudo.freebsd b/files/etc/pam.d/sudo.freebsd
index 6a6b0a4..6c0a573 100644
--- a/files/etc/pam.d/sudo.freebsd
+++ b/files/etc/pam.d/sudo.freebsd
@@ -2,10 +2,9 @@ auth      sufficient  /usr/local/lib/security/pam_krb5.so try_first_pass
 auth      required    pam_unix.so no_warn try_first_pass
 
 account   required    /usr/local/lib/security/pam_krb5.so
-account   required    pam_login_access.so
 account   required    pam_unix.so
 
-account   required    pam_permit.so
+session   required    pam_permit.so
 
 password  sufficient  /usr/local/lib/security/pam_krb5.so try_first_pass
 password  required    pam_unix.so no_warn try_first_pass
diff --git a/files/etc/pam.d/system.freebsd b/files/etc/pam.d/system.freebsd
new file mode 100644
index 0000000..b85310c
--- /dev/null
+++ b/files/etc/pam.d/system.freebsd
@@ -0,0 +1,8 @@
+auth      required  pam_unix.so no_warn try_first_pass nullok
+
+account   required  pam_unix.so
+
+session   required  pam_lastlog.so no_fail
+session   required  pam_xdg.so
+
+password  required  pam_unix.so no_warn try_first_pass
diff --git a/files/etc/pf.conf.nfs_server b/files/etc/pf.conf.nfs_server
new file mode 100644
index 0000000..628ed7c
--- /dev/null
+++ b/files/etc/pf.conf.nfs_server
@@ -0,0 +1,52 @@
+$(if [ -n "${pf_egress_interfaces:-}" ]; then
+    printf 'egress = "{ %s }"\n' "$(join ', ' $pf_egress_interfaces)"
+  else
+    printf 'egress = "%s"\n' "$BOXCONF_DEFAULT_INTERFACE"
+  fi)
+allowed_tcp_ports = "{ $(join ', ' ${allowed_tcp_ports:-}) }"
+allowed_udp_ports = "{ $(join ', ' ${allowed_udp_ports:-}) }"
+
+$([ "${acme_standalone:-}" = true ] && cat <<EOF
+acme_standalone_port = ${acme_standalone_port}
+acme_standalone_user = $(id -u "$acme_user")
+EOF
+)
+nfscbd_port = ${nfscbd_port}
+
+set block-policy return
+set skip on lo
+$([ -n "${pf_skip_interfaces:-}" ] && printf \
+  'set skip on %s\n' $pf_skip_interfaces)
+
+scrub in on \$egress all fragment reassemble no-df
+
+$([ "${acme_standalone:-}" = true ] && echo \
+  'rdr on $egress inet proto tcp to port http -> ($egress) port $acme_standalone_port'
+
+[ -n "${redirect_tcp_ports:-}" ] && printf \
+  'rdr on $egress inet proto tcp to port %s -> ($egress) port %s\n' $redirect_tcp_ports
+
+[ -n "${redirect_udp_ports:-}" ] && printf \
+  'rdr on $egress inet proto udp to port %s -> ($egress) port %s\n' $redirect_udp_ports)
+
+antispoof quick for \$egress
+
+block all
+pass out quick on \$egress inet
+pass in quick on \$egress inet proto icmp all icmp-type { echoreq, unreach }
+
+$([ "${acme_standalone:-}" = true ] && echo \
+  'pass in quick on $egress inet proto tcp to port $acme_standalone_port user $acme_standalone_user'
+
+[ -n "${allowed_tcp_ports:-}" ] && echo \
+  'pass in quick on $egress inet proto tcp to port $allowed_tcp_ports'
+
+[ -n "${allowed_udp_ports:-}" ] && echo \
+  'pass in quick on $egress inet proto udp to port $allowed_udp_ports'
+
+[ "$BOXCONF_VIRTUALIZATION_TYPE" == jail ] || echo \
+  'pass in quick on $egress inet proto { tcp, udp } to port $nfscbd_port'
+
+for user in ${syncthing_users:-}; do uid=$(id -u "$user"); eval "port=\$syncthing_${user}_port"; printf \
+  'pass in quick on $egress inet proto { tcp, udp } to port %s user %s\n' "$port" "$(id -u "$user")"
+done)
diff --git a/files/usr/local/etc/nginx/vhosts.conf.nfs_server b/files/usr/local/etc/nginx/vhosts.conf.nfs_server
new file mode 100644
index 0000000..e6fa55b
--- /dev/null
+++ b/files/usr/local/etc/nginx/vhosts.conf.nfs_server
@@ -0,0 +1,38 @@
+$(for user in ${syncthing_users:-}; do cat <<EOF
+upstream syncthing_${user} {
+  server unix:///var/run/syncthing/${user}/syncthing.sock;
+}
+
+EOF
+done)
+
+server {
+  listen 443      ssl default_server;
+  listen [::]:443 ssl default_server;
+  http2 on;
+
+  ssl_certificate      ${syncthing_https_cert};
+  ssl_certificate_key  ${syncthing_https_key};
+
+  add_header Strict-Transport-Security "max-age=63072000" always;
+
+  auth_gss_keytab ${nginx_keytab};
+  auth_gss_allow_basic_fallback off;
+
+$(for user in ${syncthing_users:-}; do cat <<EOF
+  location /${user}/ {
+    proxy_http_version 1.1;
+    proxy_set_header Connection "";
+    proxy_set_header Host \$host;
+    proxy_set_header X-Real-IP \$remote_addr;
+    proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto \$scheme;
+    proxy_read_timeout 600s;
+    proxy_send_timeout 600s;
+    proxy_pass http://syncthing_${user}/;
+    auth_gss on;
+    auth_gss_authorized_principal ${user};
+  }
+EOF
+done)
+}
diff --git a/files/usr/local/etc/poudriere.d/pkglist.pkg_repository b/files/usr/local/etc/poudriere.d/pkglist.pkg_repository
index 883a88d..7d2a7ab 100644
--- a/files/usr/local/etc/poudriere.d/pkglist.pkg_repository
+++ b/files/usr/local/etc/poudriere.d/pkglist.pkg_repository
@@ -88,6 +88,7 @@ net/php${php_version}-ldap
 net/php${php_version}-sockets
 net/py-python-ldap
 net/rsync
+net/syncthing
 net/turnserver
 net/wireguard-tools
 ports-mgmt/poudriere
@@ -102,6 +103,7 @@ security/kstart
 security/openssh-portable
 security/pam_krb5@mit
 security/pam_mkhomedir
+security/pam_mkhomedir
 security/php${php_version}-filter
 security/py-omemo-dr
 security/sshpass
@@ -120,6 +122,7 @@ sysutils/pwgen
 sysutils/stow
 sysutils/tmux
 sysutils/tree
+sysutils/zfstools
 textproc/hs-pandoc
 textproc/jq
 textproc/p5-YAML
diff --git a/files/usr/local/etc/rc.d/syncthing_user.nfs_server b/files/usr/local/etc/rc.d/syncthing_user.nfs_server
new file mode 100644
index 0000000..0229047
--- /dev/null
+++ b/files/usr/local/etc/rc.d/syncthing_user.nfs_server
@@ -0,0 +1,86 @@
+#!/bin/sh
+
+# PROVIDE: syncthing_user
+# REQUIRE: DAEMON nslcd
+# KEYWORD: shutdown
+#
+# syncthing_user_enable=YES
+# syncthing_user_instances="bob joe"
+# syncthing_user_bob_port="22000"
+# syncthing_user_joe_port="22001"
+
+. /etc/rc.subr
+
+name=syncthing_user
+rcvar=syncthing_user_enable
+
+load_rc_config $name
+
+: ${syncthing_user_enable:='NO'}
+: ${syncthing_user_socket_group:='www'}
+
+syncthing_user_rundir=/var/run/syncthing
+syncthing_user_confdir=/var/db/syncthing
+syncthing_user_args='serve --no-browser --no-upgrade --no-default-folder --logflags=0 --logfile=-'
+syncthing_config_template=/usr/local/etc/syncthing.template.xml
+
+procname="/usr/local/bin/syncthing"
+command="/usr/sbin/daemon"
+start_precmd=syncthing_user_startprecmd
+required_files="${syncthing_config_template}"
+
+syncthing_user_startprecmd()
+{
+  [ -d "$syncthing_user_rundir"   ] || install -d -m 0755 "$syncthing_user_rundir"
+  [ -d "$syncthing_user_irundir"  ] || install -d -m 2750 -o "$syncthing_user_user" -g "$syncthing_user_socket_group" "$syncthing_user_irundir"
+  [ -d "$syncthing_user_iconfdir" ] || install -d -m 0750 -o "$syncthing_user_user" -g "$syncthing_user_user"         "$syncthing_user_iconfdir"
+
+  if [ ! -f "${syncthing_user_iconfdir}/config.xml" ]; then
+    su -m "$syncthing_user_user" -c "${procname} generate --home=${syncthing_user_iconfdir}"
+
+    deviceid=$("$procname" serve --home="$syncthing_user_iconfdir" --device-id)
+    fqdn=$(hostname -f)
+    sed -E \
+      -e "s|__DEVICEID__|${deviceid}|" \
+      -e "s|__PORT__|${syncthing_user_port}|" \
+      -e "s|__FQDN__|${fqdn}|" \
+      -e "s|__SOCK__|${syncthing_user_irundir}/syncthing.sock|" \
+      "$syncthing_config_template" > "${syncthing_user_iconfdir}/config.xml"
+  fi
+}
+
+if [ -n "$syncthing_user_instances" ]; then
+  _1=$1
+  if [ $# -gt 1 ]; then
+    shift
+    syncthing_user_instances=$*
+  fi
+
+  rc=0
+  for syncthing_user_user in $syncthing_user_instances; do
+    syncthing_user_group=$syncthing_user_user
+    syncthing_user_iconfdir="${syncthing_user_confdir}/${syncthing_user_user}"
+    syncthing_user_irundir="${syncthing_user_rundir}/${syncthing_user_user}"
+    unset syncthing_user_port
+    eval "syncthing_user_port=\$syncthing_user_${syncthing_user_user}_port"
+
+    if [ -z "${syncthing_user_port:-}" ]; then
+      echo "syncthing_user_${syncthing_user_user}_port not defined in /etc/rc.conf - skipping" 1>&2
+      continue
+    fi
+
+    pidfile="${syncthing_user_rundir}/${syncthing_user_user}/syncthing.pid"
+    command_args="-cf -s info -l daemon -T syncthing-${syncthing_user_user} -p ${pidfile} -t syncthing-${syncthing_user_user} \
+      ${procname} ${syncthing_user_args} --home=${syncthing_user_iconfdir} --gui-address=unix://${syncthing_user_irundir}/syncthing.sock"
+
+    run_rc_command "$_1"
+    if [ $? -ne 0 ]; then rc=1; fi
+
+    unset _pidcmd _rc_restart_done
+  done
+
+  exit $rc
+else
+  echo 'No users defined. Set syncthing_user_instances in /etc/rc.conf.' 1>&2
+  exit 1
+fi
diff --git a/files/usr/local/etc/syncthing.template.xml.nfs_server b/files/usr/local/etc/syncthing.template.xml.nfs_server
new file mode 100644
index 0000000..3ee90a1
--- /dev/null
+++ b/files/usr/local/etc/syncthing.template.xml.nfs_server
@@ -0,0 +1,131 @@
+<configuration version="37">
+    <device id="__DEVICEID__" name="__FQDN__" compression="metadata" introducer="false" skipIntroductionRemovals="false" introducedBy="">
+        <address>tcp://__FQDN__:__PORT__</address>
+        <paused>false</paused>
+        <autoAcceptFolders>false</autoAcceptFolders>
+        <maxSendKbps>0</maxSendKbps>
+        <maxRecvKbps>0</maxRecvKbps>
+        <maxRequestKiB>0</maxRequestKiB>
+        <untrusted>false</untrusted>
+        <remoteGUIPort>0</remoteGUIPort>
+        <numConnections>0</numConnections>
+    </device>
+    <gui enabled="true" tls="false" debugging="false" sendBasicAuthPrompt="false">
+        <address>unix://__SOCK__</address>
+        <unixSocketPermissions>770</unixSocketPermissions>
+        <theme>default</theme>
+        <insecureSkipHostcheck>true</insecureSkipHostcheck>
+    </gui>
+    <ldap></ldap>
+    <options>
+        <listenAddress>quic://0.0.0.0:__PORT__</listenAddress>
+        <listenAddress>tcp://0.0.0.0:__PORT__</listenAddress>
+        <globalAnnounceServer>default</globalAnnounceServer>
+        <globalAnnounceEnabled>false</globalAnnounceEnabled>
+        <localAnnounceEnabled>false</localAnnounceEnabled>
+        <localAnnouncePort>0</localAnnouncePort>
+        <localAnnounceMCAddr>[ff12::8384]:0</localAnnounceMCAddr>
+        <maxSendKbps>0</maxSendKbps>
+        <maxRecvKbps>0</maxRecvKbps>
+        <reconnectionIntervalS>60</reconnectionIntervalS>
+        <relaysEnabled>false</relaysEnabled>
+        <relayReconnectIntervalM>10</relayReconnectIntervalM>
+        <startBrowser>false</startBrowser>
+        <natEnabled>false</natEnabled>
+        <natLeaseMinutes>60</natLeaseMinutes>
+        <natRenewalMinutes>30</natRenewalMinutes>
+        <natTimeoutSeconds>10</natTimeoutSeconds>
+        <urAccepted>-1</urAccepted>
+        <urSeen>0</urSeen>
+        <urUniqueID></urUniqueID>
+        <urURL>https://data.syncthing.net/newdata</urURL>
+        <urPostInsecurely>false</urPostInsecurely>
+        <urInitialDelayS>1800</urInitialDelayS>
+        <autoUpgradeIntervalH>0</autoUpgradeIntervalH>
+        <upgradeToPreReleases>false</upgradeToPreReleases>
+        <keepTemporariesH>24</keepTemporariesH>
+        <cacheIgnoredFiles>false</cacheIgnoredFiles>
+        <progressUpdateIntervalS>5</progressUpdateIntervalS>
+        <limitBandwidthInLan>false</limitBandwidthInLan>
+        <minHomeDiskFree unit="%">1</minHomeDiskFree>
+        <releasesURL>https://upgrades.syncthing.net/meta.json</releasesURL>
+        <overwriteRemoteDeviceNamesOnConnect>false</overwriteRemoteDeviceNamesOnConnect>
+        <tempIndexMinBlocks>10</tempIndexMinBlocks>
+        <trafficClass>0</trafficClass>
+        <setLowPriority>false</setLowPriority>
+        <maxFolderConcurrency>0</maxFolderConcurrency>
+        <crashReportingURL>https://crash.syncthing.net/newcrash</crashReportingURL>
+        <crashReportingEnabled>false</crashReportingEnabled>
+        <stunKeepaliveStartS>0</stunKeepaliveStartS>
+        <stunKeepaliveMinS>0</stunKeepaliveMinS>
+        <stunServer>default</stunServer>
+        <databaseTuning>auto</databaseTuning>
+        <maxConcurrentIncomingRequestKiB>0</maxConcurrentIncomingRequestKiB>
+        <announceLANAddresses>true</announceLANAddresses>
+        <sendFullIndexOnUpgrade>false</sendFullIndexOnUpgrade>
+        <connectionLimitEnough>0</connectionLimitEnough>
+        <connectionLimitMax>0</connectionLimitMax>
+        <insecureAllowOldTLSVersions>false</insecureAllowOldTLSVersions>
+        <connectionPriorityTcpLan>10</connectionPriorityTcpLan>
+        <connectionPriorityQuicLan>20</connectionPriorityQuicLan>
+        <connectionPriorityTcpWan>30</connectionPriorityTcpWan>
+        <connectionPriorityQuicWan>40</connectionPriorityQuicWan>
+        <connectionPriorityRelay>50</connectionPriorityRelay>
+        <connectionPriorityUpgradeThreshold>0</connectionPriorityUpgradeThreshold>
+    </options>
+    <defaults>
+        <folder id="" label="" path="~" type="sendreceive" rescanIntervalS="3600" fsWatcherEnabled="true" fsWatcherDelayS="10" ignorePerms="false" autoNormalize="true">
+            <filesystemType>basic</filesystemType>
+            <device id="__DEVICEID__" introducedBy="">
+                <encryptionPassword></encryptionPassword>
+            </device>
+            <minDiskFree unit="%">1</minDiskFree>
+            <versioning>
+                <cleanupIntervalS>3600</cleanupIntervalS>
+                <fsPath></fsPath>
+                <fsType>basic</fsType>
+            </versioning>
+            <copiers>0</copiers>
+            <pullerMaxPendingKiB>0</pullerMaxPendingKiB>
+            <hashers>0</hashers>
+            <order>random</order>
+            <ignoreDelete>false</ignoreDelete>
+            <scanProgressIntervalS>0</scanProgressIntervalS>
+            <pullerPauseS>0</pullerPauseS>
+            <maxConflicts>10</maxConflicts>
+            <disableSparseFiles>false</disableSparseFiles>
+            <disableTempIndexes>false</disableTempIndexes>
+            <paused>false</paused>
+            <weakHashThresholdPct>25</weakHashThresholdPct>
+            <markerName>.stfolder</markerName>
+            <copyOwnershipFromParent>false</copyOwnershipFromParent>
+            <modTimeWindowS>0</modTimeWindowS>
+            <maxConcurrentWrites>2</maxConcurrentWrites>
+            <disableFsync>false</disableFsync>
+            <blockPullOrder>standard</blockPullOrder>
+            <copyRangeMethod>standard</copyRangeMethod>
+            <caseSensitiveFS>false</caseSensitiveFS>
+            <junctionsAsDirs>false</junctionsAsDirs>
+            <syncOwnership>false</syncOwnership>
+            <sendOwnership>false</sendOwnership>
+            <syncXattrs>false</syncXattrs>
+            <sendXattrs>false</sendXattrs>
+            <xattrFilter>
+                <maxSingleEntrySize>1024</maxSingleEntrySize>
+                <maxTotalSize>4096</maxTotalSize>
+            </xattrFilter>
+        </folder>
+        <device id="" compression="metadata" introducer="false" skipIntroductionRemovals="false" introducedBy="">
+            <address>dynamic</address>
+            <paused>false</paused>
+            <autoAcceptFolders>false</autoAcceptFolders>
+            <maxSendKbps>0</maxSendKbps>
+            <maxRecvKbps>0</maxRecvKbps>
+            <maxRequestKiB>0</maxRequestKiB>
+            <untrusted>false</untrusted>
+            <remoteGUIPort>0</remoteGUIPort>
+            <numConnections>0</numConnections>
+        </device>
+        <ignores></ignores>
+    </defaults>
+</configuration>
diff --git a/files/usr/share/skel/dot.login.freebsd b/files/usr/share/skel/dot.login.freebsd
new file mode 100644
index 0000000..6afb9f2
--- /dev/null
+++ b/files/usr/share/skel/dot.login.freebsd
@@ -0,0 +1,4 @@
+# .login - csh login script, read by login shell, after `.cshrc' at login.
+
+# Query terminal size; useful for serial lines.
+if ( -x /usr/bin/resizewin ) /usr/bin/resizewin -z
diff --git a/files/usr/share/skel/dot.profile.freebsd b/files/usr/share/skel/dot.profile.freebsd
new file mode 100644
index 0000000..0197635
--- /dev/null
+++ b/files/usr/share/skel/dot.profile.freebsd
@@ -0,0 +1,6 @@
+export CLICOLOR=1
+export PAGER=less
+export LESS='-iMRS -x2'
+export EDITOR=vi
+export LSCOLORS=DxfxgxgxcxxbxbaCacADAd
+export ENV="${HOME}/.shrc"
diff --git a/files/usr/share/skel/dot.shrc.freebsd b/files/usr/share/skel/dot.shrc.freebsd
new file mode 100644
index 0000000..bc8e8da
--- /dev/null
+++ b/files/usr/share/skel/dot.shrc.freebsd
@@ -0,0 +1,19 @@
+reset=$'\e[0m'
+blue=$'\e[0;34m'
+green=$'\e[0;32m'
+PS1="\[${green}\]\u@\h\[${reset}\]:\[${blue}\]\W\[${green}\]\$\[${reset}\] "
+unset reset blue green
+
+alias ls='ls -FHh'
+alias ll='ls -l'
+alias la='ls -la'
+alias ..='cd ..'
+alias ...='cd ../..'
+alias mkdir='mkdir -p'
+alias df='df -h'
+alias du='du -ch'
+
+bind ^[[A ed-search-prev-history
+bind ^[[B ed-search-next-history
+bind "\\e[1;5C" em-next-word
+bind "\\e[1;5D" ed-prev-word
-- 
cgit v1.2.3