Merge pull request #36 from cedwards/master

update bastille.conf for updated options
2019-06-22 09:56:47 -06:00 · 2019-06-22 09:55:28 -06:00 · 2019-06-22 09:40:11 -06:00 · 2019-06-22 09:39:16 -06:00 · 2019-06-22 09:36:37 -06:00 · 2019-06-22 09:32:46 -06:00
55 changed files with 1389 additions and 519 deletions
--- a/2
+++ b/2
@@ -1,6 +1,6 @@
 BSD 3-Clause License
-Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
 All rights reserved.
 Redistribution and use in source and binary forms, with or without
--- a/README.md
+++ b/README.md
@@ -1,38 +1,22 @@
 Bastille
 ========
-Bastille is a jail automation framework that allows you to quickly and
+Bastille is a jail automation framework that allows you to quickly create and
-easily create and manage FreeBSD jail.
+manage FreeBSD jails.
 Installation
------------
+============
-Bastille is not (yet) in the official ports tree, but I have built and verified
+Bastille is available in the official ports tree.
 binary packages.
 To install using one of the BETA binary packages, copy the URL for the latest
 release here (TXZ file): https://github.com/bastillebsd/bastille/releases
 Then, install via `pkg`. 
 Example:
 **pkg**
 ```shell
-pkg add https://github.com/BastilleBSD/bastille/releases/download/0.3.20181120/bastille-0.3.20181120.txz
+pkg install bastille
 ```
-BETA binary packages are signed. These can be verified with this pubkey:
+**ports**
-
+```shell
 make -C /usr/ports/sysutils/bastille install clean
 ```
 -----BEGIN PUBLIC KEY-----
 MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq28OLDhJ12JmsKKcJpnn
 pCW3fFYBNI1BtdvTvFx57ZXvQ2qecBvnR9+XWi83hKS9ALTKZI6CLC2uTv1fIsZl
 u6rDRRNZwZFfITACSfwI+7UObMXz3oBZjk94J3rIegk49EyjDswKdVWv5k1EiVXF
 SAwXSl2kA2hGfQJkj5NS4nrfoRBc0z6fm+BGdNuHKSTmeZh1dbLEHt9EArD20DJ7
 HIr8vUSPLwONeqJCBFA/MeDO+GpwtwA/ldc2ZZy1RCPctdC2NeiGW7oy1yVDu6wp
 mHCq8qDfmCx5Aex84rWUf9iH8TM92AWmegTaz2p+BgESctpjNRCUuSEwOCBIO6g5
 3wIDAQAB
 -----END PUBLIC KEY-----
 ```
 Basic Usage
 -----------
@@ -66,15 +50,13 @@ Use "bastille command -h|--help" for more information about a command.
 ```
-## 0.3-beta
+## 0.4-beta
 This document outlines the basic usage of the Bastille jail management
-framework. This release, obviously, is beta quality. I make no guarantees of
+framework. This release is still considered beta.
 quality, and if it screws up your system... Sorry, bro. 
 With all that said, here's how to use this tool in its current beta state...
-## Network Requirements
+Network Requirements
 ====================
 In order to segregate jails from the network and from the world, Bastille
 attaches jails to a loopback interface only. The host system then acts as
 the firewall, permitting and denying traffic as needed.
@@ -86,14 +68,16 @@ ishmael ~ # sysrc cloned_interfaces+=lo1
 ishmael ~ # service netif cloneup
 ```
-Second, enable NAT through the firewall:
+Second, enable the firewall:
 ```shell
 ishmael ~ # sysrc pf_enable="YES"
 ```
 Create the firewall config, or merge as necessary.
-### /etc/pf.conf
+
 /etc/pf.conf
 ------------
 ```
 ext_if="vtnet0"
@@ -101,10 +85,10 @@ set block-policy drop
 scrub in on $ext_if all fragment reassemble
 set skip on lo
-nat on $ext_if from !($ext_if) -> ($ext_if:0)
+nat on $ext_if from lo1:network to any -> ($ext_if)
 ## rdr example
-## rdr pass inet proto tcp from any to any port {80, 443} -> 10.88.9.45
+## rdr pass inet proto tcp from any to any port {80, 443} -> 10.17.89.45
 block in log all
 pass out quick modulate state
@@ -122,7 +106,7 @@ Note: if you have an existing firewall, the key lines for in/out traffic to jail
 nat on $ext_if from lo1:network to any -> ($ext_if)
 ## rdr example
-## rdr pass inet proto tcp from any to any port {80, 443} -> 10.88.9.45
+## rdr pass inet proto tcp from any to any port {80, 443} -> 10.17.89.45
 ```
 The `nat` routes traffic from the loopback interface to the external interface
@@ -130,7 +114,7 @@ for outbound access.
 The `rdr pass ...` will redirect traffic from the host firewall on port X to
 the ip of Jail Y. The example shown redirects web traffic (80 & 443) to the
-jails at `10.88.9.45`.
+jails at `10.17.89.45`.
 We'll get to that later, but when you're ready to allow traffic inbound to your
 jails, that's where you'd do it.
@@ -147,11 +131,46 @@ session and continue.
 This step only needs to be done once in order to prepare the host.
 ZFS support
 ===========
 ![BastilleBSD Twitter Poll](/docs/images/bastillebsd-twitter-poll.png)
 Bastille 0.4 added initial support for ZFS. `bastille bootstrap` and `bastille
 create` will generate ZFS volumes based on settings found in the
 `bastille.conf`. This section outlines how to enable and configure Bastille for
 ZFS.
 Two values are required for Bastille to use ZFS. The default values in the
 `bastille.conf` are empty. Populate these two to enable ZFS.
 ```shell
 ## ZFS options
 bastille_zfs_enable=""                                  ## default: ""
 bastille_zfs_zpool=""                                   ## default: ""
 bastille_zfs_prefix="bastille"                          ## default: "${bastille_zfs_zpool}/bastille"
 bastille_zfs_mountpoint=${bastille_prefix}              ## default: "${bastille_prefix}"
 bastille_zfs_options="-o compress=lz4 -o atime=off"     ## default: "-o compress=lz4 -o atime=off"
 ```
 **Example**
 ```shell
 ishmael ~ # sysrc -f /usr/local/etc/bastille/bastille.conf bastille_zfs_enable=YES
 ishmael ~ # sysrc -f /usr/local/etc/bastille/bastille.conf bastille_zfs_zpool=ZPOOL_NAME
 ```
 Replace `ZPOOL_NAME` with the zpool you want Bastille to use. Tip: `zpool list`
 and `zpool status` will help.
 bastille bootstrap
 ------------------
-The first step is to "bootstrap" a release. Current supported release is
+Before you can begin creating jails, Bastille needs to "bootstrap" a release.
-11.2-RELEASE, but you can bootstrap anything in the ftp.FreeBSD.org RELEASES
+Current supported releases are 11.2-RELEASE and 12.0-RELEASE, but you can
-directory. 
+bootstrap anything in the ftp.FreeBSD.org RELEASES directory.
 **Important: If you need ZFS support see the above section BEFORE bootstrapping.**
 Note: your mileage may vary with unsupported releases and releases newer than
 the host system likely will NOT work at all.
@@ -159,48 +178,74 @@ the host system likely will NOT work at all.
 To `bootstrap` a release, run the bootstrap sub-command with the
 release version as the argument.
 ** FreeBSD 12.0-RELEASE **
 ```shell
 ishmael ~ # bastille bootstrap 12.0-RELEASE
 ```
 ** FreeBSD 11.2-RELEASE **
 ```shell
 ishmael ~ # bastille bootstrap 11.2-RELEASE
-ishmael ~ # bastille bootstrap 12.0-RELEASE
+```
 ** HardenedBSD 12-STABLE-LAST **
 ```shell
 ishmael ~ # bastille bootstrap 12-STABLE-LAST
 ```
 ** HardenedBSD 11-STABLE-LAST **
 ```shell
 ishmael ~ # bastille bootstrap 11-STABLE-LAST
 ```
 This command will ensure the required directory structures are in place and
 download the requested release. For each requested release, `bootstrap` will
-download the base.txz and lib32.txz. These are both verified (sha256 via
+download the base.txz. If you need more than base (eg; ports, lib32, src) you
-MANIFEST file) before they are extracted for use.
+can configure the `bastille_bootstrap_archives` in the configuration file. By
 default this value is set to "base". Additional components are added, space
 separated, without extension.
-Downloaded artifacts are stored in the `cache` directory. "bootstrapped"
+Bastille will attempt to fetch the required archives if they are not found in
-releases are stored in `releases/version`.
+the `cache/$RELEASE` directory. 
 Downloaded artifacts are stored in the `cache/$RELEASE` directory. "bootstrapped"
 releases are stored in `releases/$RELEASE`.
 Advanced: If you want to create your own custom base.txz, or use an unsupported
 variant of FreeBSD, drop your own base.txz in `cache/$RELEASE/base.txz` and
 `bastille bootstrap` will attempt to extract and use it.
 The bootstrap subcommand is generally only used once to prepare the system. The
-only other use case for the bootstrap command is when a new FreeBSD version is
+other use cases for the bootstrap command are when a new FreeBSD version is
-released and you want to start building jails on that version.
+released and you want to start building jails on that version, or bootstrapping
 templates from GitHub or GitLab.
-To update a release as patches are made available, see the `bastille update`
+See `bastille update` to ensure your bootstrapped releases include the latest
-command.
+patches.
 bastille create
 ---------------
-Bastille create uses any available bootstrapped release to create a lightweight
+`bastille create` uses a bootstrapped release to create a lightweight
-jailized system. To create a jail simply provide a name, release and
+jailed system. To create a jail simply provide a name, release and
 a private (rfc1918) IP address.
 - name
 - release (bootstrapped)
 - ip
 ```shell
-ishmael ~ # bastille create folsom 11.2-RELEASE 10.8.62.1
+ishmael ~ # bastille create folsom 12.0-RELEASE 10.17.89.10
-RELEASE: 11.2-RELEASE.
+RELEASE: 12.0-RELEASE.
 NAME: folsom.
-IP: 10.8.62.1.
+IP: 10.17.89.10.
 ```
-This command will create a 11.2-RELEASE jail assigning the 10.8.62.1 ip address
+This command will create a 12.0-RELEASE jail assigning the 10.17.89.10 ip
-to the new system.
+address to the new system.
 I recommend using private (rfc1918) ip address ranges for your jails.
 These ranges include:
@@ -209,8 +254,11 @@ These ranges include:
 - 172.16.0.0/12
 - 192.168.0.0/16
 If your Bastille host also uses private (rfc1918) addresses, use a different
 range for your jails. ie; Host uses 192.168.0.0/16, jails use 10.0.0.0/8.
 Bastille does its best to validate the submitted ip is valid. This has not been
-thouroughly tested--I generally use the 10/8 range.
+thouroughly tested. I generally use the 10.0.0.0/8 range for jails.
 bastille start
@@ -219,9 +267,6 @@ To start a jail you can use the `bastille start` command.
 ```shell
 ishmael ~ # bastille start folsom
 Targeting specified jails.
 folsom
 [folsom]:
 folsom: created
@@ -234,9 +279,6 @@ To stop a jail you can use the `bastille stop` command.
 ```shell
 ishmael ~ # bastille stop folsom
 Targeting specified jails.
 folsom
 [folsom]:
 folsom: removed
@@ -249,15 +291,9 @@ To restart a jail you can use the `bastille restart` command.
 ```shell
 ishmael ~ # bastille restart folsom
 Targeting specified jails.
 folsom
 [folsom]:
 folsom: removed
 Targeting specified jails.
 folsom
 [folsom]:
 folsom: created
@@ -270,9 +306,6 @@ To execute commands within the jail you can use `bastille cmd`.
 ```shell
 ishmael ~ # bastille cmd folsom 'ps -auxw'
 Targeting specified jails.
 folsom
 [folsom]:
 USER   PID %CPU %MEM   VSZ  RSS TT  STAT STARTED    TIME COMMAND
 root 71464  0.0  0.0 14536 2000  -  IsJ   4:52PM 0:00.00 /usr/sbin/syslogd -ss
@@ -288,9 +321,6 @@ To manage binary packages within the jail use `bastille pkg`.
 ```shell
 ishmael ~ # bastille pkg folsom 'install vim-console git-lite zsh'
 Targeting specified jails.
 folsom
 [folsom]:
 The package management tool is not yet installed on your system.
 Do you want to fetch and install it now? [y/N]: y
@@ -361,23 +391,20 @@ Creating user 'git_daemon' with uid '964'.
 [folsom] [9/10] Extracting git-lite-2.19.1: 100%
 [folsom] [10/10] Installing zsh-5.6.2...
 [folsom] [10/10] Extracting zsh-5.6.2: 100%
 ```
 The PKG sub-command can, of course, do more than just `install`. The
 expectation is that you can fully leverage the pkg manager. This means,
-`install`, `update`, `upgrade`, `audit`, `clean`, `autoremove`, etc., etc.
+`install`, `update`, `upgrade`, `audit`, `clean`, `autoremove`, etc.
 ```shell
 ishmael ~ # bastille pkg ALL upgrade
 Targeting all jails.
 [bastion]:
-Updating iniquity.io repository catalogue...
+Updating pkg.bastillebsd.org repository catalogue...
 [bastion] Fetching meta.txz: 100%    560 B   0.6kB/s    00:01
 [bastion] Fetching packagesite.txz: 100%  118 KiB 121.3kB/s    00:01
 Processing entries: 100%
-iniquity.io repository update completed. 493 packages processed.
+pkg.bastillebsd.org repository update completed. 493 packages processed.
 All repositories are up to date.
 Checking for upgrades (1 candidates): 100%
 Processing candidates (1 candidates): 100%
@@ -385,11 +412,11 @@ Checking integrity... done (0 conflicting)
 Your packages are up to date.
 [unbound0]:
-Updating iniquity.io repository catalogue...
+Updating pkg.bastillebsd.org repository catalogue...
 [unbound0] Fetching meta.txz: 100%    560 B   0.6kB/s    00:01
 [unbound0] Fetching packagesite.txz: 100%  118 KiB 121.3kB/s    00:01
 Processing entries: 100%
-iniquity.io repository update completed. 493 packages processed.
+pkg.bastillebsd.org repository update completed. 493 packages processed.
 All repositories are up to date.
 Checking for upgrades (0 candidates): 100%
 Processing candidates (0 candidates): 100%
@@ -397,11 +424,11 @@ Checking integrity... done (0 conflicting)
 Your packages are up to date.
 [unbound1]:
-Updating iniquity.io repository catalogue...
+Updating pkg.bastillebsd.org repository catalogue...
 [unbound1] Fetching meta.txz: 100%    560 B   0.6kB/s    00:01
 [unbound1] Fetching packagesite.txz: 100%  118 KiB 121.3kB/s    00:01
 Processing entries: 100%
-iniquity.io repository update completed. 493 packages processed.
+pkg.bastillebsd.org repository update completed. 493 packages processed.
 All repositories are up to date.
 Checking for upgrades (0 candidates): 100%
 Processing candidates (0 candidates): 100%
@@ -409,11 +436,11 @@ Checking integrity... done (0 conflicting)
 Your packages are up to date.
 [squid]:
-Updating iniquity.io repository catalogue...
+Updating pkg.bastillebsd.org repository catalogue...
 [squid] Fetching meta.txz: 100%    560 B   0.6kB/s    00:01
 [squid] Fetching packagesite.txz: 100%  118 KiB 121.3kB/s    00:01
 Processing entries: 100%
-iniquity.io repository update completed. 493 packages processed.
+pkg.bastillebsd.org repository update completed. 493 packages processed.
 All repositories are up to date.
 Checking for upgrades (0 candidates): 100%
 Processing candidates (0 candidates): 100%
@@ -421,11 +448,11 @@ Checking integrity... done (0 conflicting)
 Your packages are up to date.
 [nginx]:
-Updating iniquity.io repository catalogue...
+Updating pkg.bastillebsd.org repository catalogue...
 [nginx] Fetching meta.txz: 100%    560 B   0.6kB/s    00:01
 [nginx] Fetching packagesite.txz: 100%  118 KiB 121.3kB/s    00:01
 Processing entries: 100%
-iniquity.io repository update completed. 493 packages processed.
+pkg.bastillebsd.org repository update completed. 493 packages processed.
 All repositories are up to date.
 Checking for upgrades (1 candidates): 100%
 Processing candidates (1 candidates): 100%
@@ -458,9 +485,6 @@ Note: jails must be stopped before destroyed.
 ```shell
 ishmael ~ # bastille stop folsom
 Targeting specified jails.
 folsom
 [folsom]:
 folsom: removed
@@ -477,7 +501,7 @@ Bastille supports a templating system allowing you to apply files, pkgs and
 execute commands inside the jail automatically.
 Currently supported template hooks are: `PRE`, `CONFIG`, `PKG`, `SYSRC`, `CMD`.
-Planned template hooks include: `FSTAB`, `PF`
+Planned template hooks include: `FSTAB`, `PF`, `LOG`
 Templates are created in `${bastille_prefix}/templates` and can leverage any of
 the template hooks. Simply create a new directory named after the template. eg;
@@ -498,12 +522,18 @@ echo "etc root usr" > /usr/local/bastille/templates/base/CONFIG
 Template hooks are executed in specific order and require specific syntax to
 work as expected. This table outlines those requirements:
-| HOOK    | format           | example                              |
+| SUPPORTED | format           | example                                                        |
-|---------|------------------|--------------------------------------|
+|-----------|------------------|----------------------------------------------------------------|
-| PRE/CMD | /bin/sh command  | /usr/bin/chsh -s /usr/local/bin/zsh  |
+| PRE/CMD   | /bin/sh command  | /usr/bin/chsh -s /usr/local/bin/zsh                            |
-| CONFIG  | path             | etc root usr                         |
+| CONFIG    | path             | etc root usr                                                   |
-| PKG     | port/pkg name(s) | vim-console zsh git-lite tree htop   |
+| PKG       | port/pkg name(s) | vim-console zsh git-lite tree htop                             |
-| SYSRC   | sysrc command(s) | nginx_enable=YES                     |
+| SYSRC     | sysrc command(s) | nginx_enable=YES                                               |
 | PLANNED | format           | example                                                        |
 |---------|------------------|----------------------------------------------------------------|
 | PF      | pf rdr entry     | rdr pass inet proto tcp from any to any port 80 -> 10.17.89.80 |
 | LOG     | path             | /var/log/nginx/access.log                                      |
 | FSTAB   | fstab syntax     | /path/on/host /path/in/jail nullfs ro 0 0                      |
 Note: SYSRC requires NO quotes or that quotes (`"`) be escaped. ie; `\"`)
@@ -531,6 +561,7 @@ The above example "etc usr" will include anything under "etc" and "usr" inside
 the template. You do not need to list individual files. Just include the
 top-level directory name.
 Applying Templates
 ------------------
@@ -573,10 +604,7 @@ In jail terms, this allows us to toggle on/off services and options at
 startup.
 ```shell
-ishmael ~ # bastille sysrc nginx nginx_enable="YES"
+ishmael ~ # bastille sysrc nginx nginx_enable=YES
 Targeting specified jails.
 nginx
 [nginx]:
 nginx_enable: NO -> YES
 ```
@@ -591,9 +619,6 @@ password-less root login.
 ```shell
 ishmael ~ # bastille console folsom
 Targeting specified jails.
 folsom
 [folsom]:
 FreeBSD 11.2-RELEASE-p4 (GENERIC) #0: Thu Sep 27 08:16:24 UTC 2018
@@ -623,6 +648,7 @@ At this point you are logged in to the jail and have full shell access.
 The system is yours to use and/or abuse as you like. Any changes made inside
 the jail are limited to the jail. 
 bastille cp
 -----------
 Note: this sub-command may need a little work. 
@@ -631,8 +657,6 @@ This sub-command allows efficiently copying files from host to jail(s).
 ```shell
 ishmael ~ # bastille cp ALL /tmp/resolv.conf-cf etc/resolv.conf
 Targeting all jails.
 [bastion]:
 [unbound0]:
@@ -657,12 +681,12 @@ This sub-command will show you the running jails on your system.
 ```shell
 ishmael ~ # bastille list
 JID             IP Address      Hostname                      Path
- bastion         10.88.9.65      bastion                       /usr/local/bastille/jails/bastion/root
+ bastion         10.17.89.65      bastion                       /usr/local/bastille/jails/bastion/root
- unbound0        10.88.9.60      unbound0                      /usr/local/bastille/jails/unbound0/root
+ unbound0        10.17.89.60      unbound0                      /usr/local/bastille/jails/unbound0/root
- unbound1        10.88.9.61      unbound1                      /usr/local/bastille/jails/unbound1/root
+ unbound1        10.17.89.61      unbound1                      /usr/local/bastille/jails/unbound1/root
- squid           10.88.9.30      squid                         /usr/local/bastille/jails/squid/root
+ squid           10.17.89.30      squid                         /usr/local/bastille/jails/squid/root
- nginx           10.88.9.45      nginx                         /usr/local/bastille/jails/nginx/root
+ nginx           10.17.89.45      nginx                         /usr/local/bastille/jails/nginx/root
- folsom          10.8.62.1       folsom                        /usr/local/bastille/jails/folsom/root
+ folsom          10.17.89.10      folsom                        /usr/local/bastille/jails/folsom/root
 ```
@@ -739,27 +763,21 @@ Example (create, start, console)
 This example creates, starts and consoles into the jail.
 ```shell
-ishmael ~ # bastille create alcatraz 11.2-RELEASE 10.9.8.7
+ishmael ~ # bastille create alcatraz 11.2-RELEASE 10.17.89.7
 RELEASE: 11.2-RELEASE.
 NAME: alcatraz.
-IP: 10.9.8.7.
+IP: 10.17.89.7.
 ```
 ```shell
 ishmael ~ # bastille start alcatraz
 Targeting specified jails.
 alcatraz
 [alcatraz]:
 alcatraz: created
 ```
 ```shell
 ishmael ~ # bastille console alcatraz
 Targeting specified jails.
 alcatraz
 [alcatraz]:
 FreeBSD 11.2-RELEASE-p4 (GENERIC) #0: Thu Sep 27 08:16:24 UTC 2018
@@ -822,29 +840,28 @@ Possible Jail names
 -------------------
 prisons:
 - alcatraz
 - arkham
 - ashecliffe
 - astralqueen
 - attica
 - azkaban
 - coldmountain
 - corcoran
 - dolguldur
 - folsom
 - foxriver
 - leavenworth
 - litchfield
 - oswald
 - pelicanbay
 - rikers
 - sanquentin
 - shawshank
 - singsing
 - stockton
 - stormcage
 - ziggurat
 - astralqueen
 - alcatraz
 - rikers
 - leavenworth
 - folsom
 - attica
 - singsing
 - sanquentin
 - corcoran
 - pelicanbay
 Networking Tips
@@ -854,7 +871,7 @@ Tip #1:
 -------
 Ports and destinations can be defined as lists. eg;
 ```
-rdr pass inet proto tcp from any to any port {80, 443} -> {10.88.9.45, 10.88.9.46, 10.88.9.47, 10.88.9.48}
+rdr pass inet proto tcp from any to any port {80, 443} -> {10.17.89.45, 10.17.89.46, 10.17.89.47, 10.17.89.48}
 ```
 This rule would redirect any traffic to the host on ports 80 or 443 and
@@ -865,9 +882,9 @@ Tip #2:
 -------
 Ports can redirect to other ports. eg;
 ```
-rdr pass inet proto tcp from any to any port 8080 -> 10.7.6.5 port 80
+rdr pass inet proto tcp from any to any port 8080 -> 10.17.89.5 port 80
-rdr pass inet proto tcp from any to any port 8081 -> 10.7.6.5 port 8080
+rdr pass inet proto tcp from any to any port 8081 -> 10.17.89.5 port 8080
-rdr pass inet proto tcp from any to any port 8181 -> 10.7.6.5 port 443
+rdr pass inet proto tcp from any to any port 8181 -> 10.17.89.5 port 443
 ```
 Tip #3:
@@ -882,9 +899,9 @@ can.
 Community Support
 =================
-We would love to hear your feedback on Bastille! Please join us on the
+We would love to hear your feedback on Bastille! Please join us in the
-[BastilleBSD Chat Server](https://chat.bastillebsd.org) and let us know what
+[#bastillebsd](ircs://chat.freenode.net:6697/bastillebsd) and let us know what
-you think. Registration is currently open pending email verification. 
+you think.
 Be mindful of the [Bastille Code of
 Conduct](https://github.com/BastilleBSD/bastille/blob/master/CODE-OF-CONDUCT.md)
--- a/docs/README.md
+++ b/docs/README.md
@@ -1 +0,0 @@
 ../README.md
--- a/docs/chapters/installation.rst
+++ b/docs/chapters/installation.rst
@@ -0,0 +1,30 @@
 Installation
 ============
 Bastille is not (yet) in the official ports tree, but I have built and
 verified binary packages.
 To install using one of the BETA binary packages, copy the URL for the
 latest release here (TXZ file):
 https://github.com/bastillebsd/bastille/releases
 Then, install via pkg. 
 Example:
 .. code-block:: shell
  pkg add https://github.com/BastilleBSD/bastille/releases/download/0.3.20181124/bastille-0.3.20181124.txz
 BETA binary packages are signed. These can be verified with this pubkey:
 .. code-block:: shell
  -----BEGIN PUBLIC KEY-----
  MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq28OLDhJ12JmsKKcJpnn
  pCW3fFYBNI1BtdvTvFx57ZXvQ2qecBvnR9+XWi83hKS9ALTKZI6CLC2uTv1fIsZl
  u6rDRRNZwZFfITACSfwI+7UObMXz3oBZjk94J3rIegk49EyjDswKdVWv5k1EiVXF
  SAwXSl2kA2hGfQJkj5NS4nrfoRBc0z6fm+BGdNuHKSTmeZh1dbLEHt9EArD20DJ7
  HIr8vUSPLwONeqJCBFA/MeDO+GpwtwA/ldc2ZZy1RCPctdC2NeiGW7oy1yVDu6wp
  mHCq8qDfmCx5Aex84rWUf9iH8TM92AWmegTaz2p+BgESctpjNRCUuSEwOCBIO6g5
  3wIDAQAB
  -----END PUBLIC KEY-----
--- a/docs/chapters/networking.rst
+++ b/docs/chapters/networking.rst
@@ -0,0 +1,79 @@
 ====================
 Network Requirements
 ====================
 In order to segregate jails from the network and from the world, Bastille
 attaches jails to a loopback interface only. The host system then acts as
 the firewall, permitting and denying traffic as needed.
 First, create the loopback interface:
 .. code-block:: shell
  ishmael ~ # sysrc cloned_interfaces+=lo1
  ishmael ~ # service netif cloneup
 Second, enable NAT through the firewall:
 .. code-block:: shell
  ishmael ~ # sysrc pf_enable="YES"
 /etc/pf.conf
 ------------
 Create the firewall config, or merge as necessary.
 .. code-block:: shell
  ext_if="vtnet0"
  set block-policy drop
  scrub in on $ext_if all fragment reassemble
  set skip on lo
  nat on $ext_if from !($ext_if) -> ($ext_if:0)
  ## rdr example
  ## rdr pass inet proto tcp from any to any port {80, 443} -> 10.88.9.45
  block in log all
  pass out quick modulate state
  antispoof for $ext_if inet
  pass in inet proto tcp from any to any port ssh flags S/SA keep state
 - Make sure to change the `ext_if` variable to match your host system interface.
 - Make sure to include the last line (`port ssh`) or you'll end up locked out.
 Note: if you have an existing firewall, the key lines for in/out traffic
 to jails are:
 .. code-block:: shell
  nat on $ext_if from lo1:network to any -> ($ext_if)
  ## rdr example
  ## rdr pass inet proto tcp from any to any port {80, 443} -> 10.88.9.45
 The `nat` routes traffic from the loopback interface to the external
 interface for outbound access.
 The `rdr pass ...` will redirect traffic from the host firewall on port X
 to the ip of Jail Y. The example shown redirects web traffic (80 & 443) to
 the jails at `10.88.9.45`.
 We'll get to that later, but when you're ready to allow traffic inbound to
 your jails, that's where you'd do it.
 Finally, start up the firewall:
 .. code-block:: shell
  ishmael ~ # service pf restart
 At this point you'll likely be disconnected from the host. Reconnect the
 ssh session and continue.
 This step only needs to be done once in order to prepare the host.
--- a/docs/chapters/subcommands/bootstrap.rst
+++ b/docs/chapters/subcommands/bootstrap.rst
@@ -0,0 +1,34 @@
 =========
 bootstrap
 =========
 The first step is to "bootstrap" a release. Current supported release is
 11.2-RELEASE, but you can bootstrap anything in the ftp.FreeBSD.org
 RELEASES directory. 
 Note: your mileage may vary with unsupported releases and releases newer
 than the host system likely will NOT work at all.
 To `bootstrap` a release, run the bootstrap sub-command with the
 release version as the argument.
 .. code-block:: shell
  ishmael ~ # bastille bootstrap 11.2-RELEASE
  ishmael ~ # bastille bootstrap 12.0-RELEASE
 This command will ensure the required directory structures are in place
 and download the requested release. For each requested release,
 `bootstrap` will download the base.txz and lib32.txz. These are both
 verified (sha256 via MANIFEST file) before they are extracted for use.
 Downloaded artifacts are stored in the `cache` directory. "bootstrapped"
 releases are stored in `releases/version`.
 The bootstrap subcommand is generally only used once to prepare the
 system. The only other use case for the bootstrap command is when a new
 FreeBSD version is released and you want to start building jails on that
 version.
 To update a release as patches are made available, see the `bastille
 update` command.
--- a/docs/chapters/subcommands/cmd.rst
+++ b/docs/chapters/subcommands/cmd.rst
@@ -0,0 +1,14 @@
 ===
 cmd
 ===
 To execute commands within the jail you can use `bastille cmd`.
 .. code-block:: shell
  ishmael ~ # bastille cmd folsom 'ps -auxw'
  [folsom]:
  USER   PID %CPU %MEM   VSZ  RSS TT  STAT STARTED    TIME COMMAND
  root 71464  0.0  0.0 14536 2000  -  IsJ   4:52PM 0:00.00 /usr/sbin/syslogd -ss
  root 77447  0.0  0.0 16632 2140  -  SsJ   4:52PM 0:00.00 /usr/sbin/cron -J 60 -s
  root 80591  0.0  0.0 18784 2340  1  R+J   4:53PM 0:00.00 ps -auxw
--- a/docs/chapters/subcommands/console.rst
+++ b/docs/chapters/subcommands/console.rst
@@ -0,0 +1,36 @@
 console
 =======
 This sub-command launches a login shell into the jail. Default is
 password-less root login.
 .. code-block:: shell
  ishmael ~ # bastille console folsom
  [folsom]:
  FreeBSD 11.2-RELEASE-p4 (GENERIC) #0: Thu Sep 27 08:16:24 UTC 2018
  Welcome to FreeBSD!
  Release Notes, Errata: https://www.FreeBSD.org/releases/
  Security Advisories:   https://www.FreeBSD.org/security/
  FreeBSD Handbook:      https://www.FreeBSD.org/handbook/
  FreeBSD FAQ:           https://www.FreeBSD.org/faq/
  Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/
  FreeBSD Forums:        https://forums.FreeBSD.org/
  Documents installed with the system are in the /usr/local/share/doc/freebsd/
  directory, or can be installed later with:  pkg install en-freebsd-doc
  For other languages, replace "en" with a language code like de or fr.
  Show the version of FreeBSD installed:  freebsd-version ; uname -a
  Please include that output and any error messages when posting questions.
  Introduction to manual pages:  man man
  FreeBSD directory layout:      man hier
  Edit /etc/motd to change this login announcement.
  root@folsom:~ #
 At this point you are logged in to the jail and have full shell access.
 The system is yours to use and/or abuse as you like. Any changes made
 inside the jail are limited to the jail. 
--- a/docs/chapters/subcommands/cp.rst
+++ b/docs/chapters/subcommands/cp.rst
@@ -0,0 +1,21 @@
 cp
 ==
 This command allows efficiently copying files from host to jail(s).
 .. code-block:: shell
  ishmael ~ # bastille cp ALL /tmp/resolv.conf-cf etc/resolv.conf
  [bastion]:
  [unbound0]:
  [unbound1]:
  [squid]:
  [nginx]:
  [folsom]:
 Unless you see errors reported in the output the `cp` was successful.
--- a/docs/chapters/subcommands/create.rst
+++ b/docs/chapters/subcommands/create.rst
@@ -0,0 +1,32 @@
 ======
 create
 ======
 Bastille create uses any available bootstrapped release to create a
 lightweight jailed system. To create a jail simply provide a name,
 bootstrapped release and a private (rfc1918) IP address.
 - name
 - release
 - ip
 .. code-block:: shell
  ishmael ~ # bastille create folsom 11.2-RELEASE 10.8.62.1
  RELEASE: 11.2-RELEASE.
  NAME: folsom.
  IP: 10.8.62.1.
 This command will create a 11.2-RELEASE jail assigning the 10.8.62.1 ip
 address to the new system.
 I recommend using private (rfc1918) ip address ranges for your jails.
 These ranges include:
 - 10.0.0.0/8
 - 172.16.0.0/12
 - 192.168.0.0/16
 Bastille does its best to validate the submitted ip is valid. This has not
 been thouroughly tested--I generally use the 10/8 range.
--- a/docs/chapters/subcommands/destroy.rst
+++ b/docs/chapters/subcommands/destroy.rst
@@ -0,0 +1,18 @@
 destroy
 =======
 Jails can be destroyed and thrown away just as easily as they were
 created.  Note: jails must be stopped before destroyed.
 .. code-block:: shell
  ishmael ~ # bastille stop folsom
  [folsom]:
  folsom: removed
 .. code-block:: shell
  ishmael ~ # bastille destroy folsom
  Deleting Jail: folsom.
  Note: jail console logs not destroyed.
  /usr/local/bastille/logs/folsom_console.log
--- a/docs/chapters/subcommands/htop.rst
+++ b/docs/chapters/subcommands/htop.rst
@@ -0,0 +1,11 @@
 ====
 htop
 ====
 This one runs `htop` inside the jail. 
 note: won't work if you don't have htop installed in the jail.
 .. image:: ../../images/htop.png
    :align: center
    :alt: bastille htop jail
--- a/docs/chapters/subcommands/index.rst
+++ b/docs/chapters/subcommands/index.rst
@@ -0,0 +1,24 @@
 Bastille sub-commands
 =====================
 .. toctree::
   :maxdepth: 2
   :caption: Contents:
   bootstrap
   cmd
   console
   cp
   create
   destroy
   htop
   pkg
   restart
   start
   stop
   sysrc
   top
   update
   update
   upgrade
   verify
--- a/docs/chapters/subcommands/pkg.rst
+++ b/docs/chapters/subcommands/pkg.rst
@@ -0,0 +1,164 @@
 ===
 pkg
 ===
 To manage binary packages within the jail use `bastille pkg`.
 .. code-block:: shell
  ishmael ~ # bastille pkg folsom 'install vim-console git-lite zsh'
  [folsom]:
  The package management tool is not yet installed on your system.
  Do you want to fetch and install it now? [y/N]: y
  Bootstrapping pkg from pkg+http://pkg.FreeBSD.org/FreeBSD:10:amd64/quarterly, please wait...
  Verifying signature with trusted certificate pkg.freebsd.org.2013102301... done
  [folsom] Installing pkg-1.10.5_5...
  [folsom] Extracting pkg-1.10.5_5: 100%
  Updating FreeBSD repository catalogue...
  pkg: Repository FreeBSD load error: access repo file(/var/db/pkg/repo-FreeBSD.sqlite) failed: No such file or directory
  [folsom] Fetching meta.txz: 100%    944 B   0.9kB/s    00:01
  [folsom] Fetching packagesite.txz: 100%    6 MiB   3.4MB/s    00:02
  Processing entries: 100%
  FreeBSD repository update completed. 32550 packages processed.
  All repositories are up to date.
  Updating database digests format: 100%
  The following 10 package(s) will be affected (of 0 checked):
  New packages to be INSTALLED:
      vim-console: 8.1.0342
      git-lite: 2.19.1
      zsh: 5.6.2
      expat: 2.2.6_1
      curl: 7.61.1
      libnghttp2: 1.33.0
      ca_root_nss: 3.40
      pcre: 8.42
      gettext-runtime: 0.19.8.1_1
      indexinfo: 0.3.1
  Number of packages to be installed: 10
  The process will require 77 MiB more space.
  17 MiB to be downloaded.
  Proceed with this action? [y/N]: y
  [folsom] [1/10] Fetching vim-console-8.1.0342.txz: 100%    5 MiB   5.8MB/s    00:01
  [folsom] [2/10] Fetching git-lite-2.19.1.txz: 100%    4 MiB   2.1MB/s    00:02
  [folsom] [3/10] Fetching zsh-5.6.2.txz: 100%    4 MiB   4.4MB/s    00:01
  [folsom] [4/10] Fetching expat-2.2.6_1.txz: 100%  109 KiB 111.8kB/s    00:01
  [folsom] [5/10] Fetching curl-7.61.1.txz: 100%    1 MiB   1.2MB/s    00:01
  [folsom] [6/10] Fetching libnghttp2-1.33.0.txz: 100%  107 KiB 109.8kB/s    00:01
  [folsom] [7/10] Fetching ca_root_nss-3.40.txz: 100%  287 KiB 294.3kB/s    00:01
  [folsom] [8/10] Fetching pcre-8.42.txz: 100%    1 MiB   1.2MB/s    00:01
  [folsom] [9/10] Fetching gettext-runtime-0.19.8.1_1.txz: 100%  148 KiB 151.3kB/s    00:01
  [folsom] [10/10] Fetching indexinfo-0.3.1.txz: 100%    6 KiB   5.7kB/s    00:01
  Checking integrity... done (0 conflicting)
  [folsom] [1/10] Installing libnghttp2-1.33.0...
  [folsom] [1/10] Extracting libnghttp2-1.33.0: 100%
  [folsom] [2/10] Installing ca_root_nss-3.40...
  [folsom] [2/10] Extracting ca_root_nss-3.40: 100%
  [folsom] [3/10] Installing indexinfo-0.3.1...
  [folsom] [3/10] Extracting indexinfo-0.3.1: 100%
  [folsom] [4/10] Installing expat-2.2.6_1...
  [folsom] [4/10] Extracting expat-2.2.6_1: 100%
  [folsom] [5/10] Installing curl-7.61.1...
  [folsom] [5/10] Extracting curl-7.61.1: 100%
  [folsom] [6/10] Installing pcre-8.42...
  [folsom] [6/10] Extracting pcre-8.42: 100%
  [folsom] [7/10] Installing gettext-runtime-0.19.8.1_1...
  [folsom] [7/10] Extracting gettext-runtime-0.19.8.1_1: 100%
  [folsom] [8/10] Installing vim-console-8.1.0342...
  [folsom] [8/10] Extracting vim-console-8.1.0342: 100%
  [folsom] [9/10] Installing git-lite-2.19.1...
  ===> Creating groups.
  Creating group 'git_daemon' with gid '964'.
  ===> Creating users
  Creating user 'git_daemon' with uid '964'.
  [folsom] [9/10] Extracting git-lite-2.19.1: 100%
  [folsom] [10/10] Installing zsh-5.6.2...
  [folsom] [10/10] Extracting zsh-5.6.2: 100%
 The PKG sub-command can, of course, do more than just `install`. The
 expectation is that you can fully leverage the pkg manager. This means,
 `install`, `update`, `upgrade`, `audit`, `clean`, `autoremove`, etc., etc.
 .. code-block:: shell
  ishmael ~ # bastille pkg ALL upgrade
  [bastion]:
  Updating iniquity.io repository catalogue...
  [bastion] Fetching meta.txz: 100%    560 B   0.6kB/s    00:01
  [bastion] Fetching packagesite.txz: 100%  118 KiB 121.3kB/s    00:01
  Processing entries: 100%
  iniquity.io repository update completed. 493 packages processed.
  All repositories are up to date.
  Checking for upgrades (1 candidates): 100%
  Processing candidates (1 candidates): 100%
  Checking integrity... done (0 conflicting)
  Your packages are up to date.
  [unbound0]:
  Updating iniquity.io repository catalogue...
  [unbound0] Fetching meta.txz: 100%    560 B   0.6kB/s    00:01
  [unbound0] Fetching packagesite.txz: 100%  118 KiB 121.3kB/s    00:01
  Processing entries: 100%
  iniquity.io repository update completed. 493 packages processed.
  All repositories are up to date.
  Checking for upgrades (0 candidates): 100%
  Processing candidates (0 candidates): 100%
  Checking integrity... done (0 conflicting)
  Your packages are up to date.
  [unbound1]:
  Updating iniquity.io repository catalogue...
  [unbound1] Fetching meta.txz: 100%    560 B   0.6kB/s    00:01
  [unbound1] Fetching packagesite.txz: 100%  118 KiB 121.3kB/s    00:01
  Processing entries: 100%
  iniquity.io repository update completed. 493 packages processed.
  All repositories are up to date.
  Checking for upgrades (0 candidates): 100%
  Processing candidates (0 candidates): 100%
  Checking integrity... done (0 conflicting)
  Your packages are up to date.
  [squid]:
  Updating iniquity.io repository catalogue...
  [squid] Fetching meta.txz: 100%    560 B   0.6kB/s    00:01
  [squid] Fetching packagesite.txz: 100%  118 KiB 121.3kB/s    00:01
  Processing entries: 100%
  iniquity.io repository update completed. 493 packages processed.
  All repositories are up to date.
  Checking for upgrades (0 candidates): 100%
  Processing candidates (0 candidates): 100%
  Checking integrity... done (0 conflicting)
  Your packages are up to date.
  [nginx]:
  Updating iniquity.io repository catalogue...
  [nginx] Fetching meta.txz: 100%    560 B   0.6kB/s    00:01
  [nginx] Fetching packagesite.txz: 100%  118 KiB 121.3kB/s    00:01
  Processing entries: 100%
  iniquity.io repository update completed. 493 packages processed.
  All repositories are up to date.
  Checking for upgrades (1 candidates): 100%
  Processing candidates (1 candidates): 100%
  The following 1 package(s) will be affected (of 0 checked):
  Installed packages to be UPGRADED:
      nginx-lite: 1.14.0_14,2 -> 1.14.1,2
  Number of packages to be upgraded: 1
  315 KiB to be downloaded.
  Proceed with this action? [y/N]: y
  [nginx] [1/1] Fetching nginx-lite-1.14.1,2.txz: 100%  315 KiB 322.8kB/s    00:01
  Checking integrity... done (0 conflicting)
  [nginx] [1/1] Upgrading nginx-lite from 1.14.0_14,2 to 1.14.1,2...
  ===> Creating groups.
  Using existing group 'www'.
  ===> Creating users
  Using existing user 'www'.
  [nginx] [1/1] Extracting nginx-lite-1.14.1,2: 100%
  You may need to manually remove /usr/local/etc/nginx/nginx.conf if it is no longer needed.
--- a/docs/chapters/subcommands/restart.rst
+++ b/docs/chapters/subcommands/restart.rst
@@ -0,0 +1,13 @@
 restart
 =======
 To restart a jail you can use the `bastille restart` command.
 .. code-block:: shell
  ishmael ~ # bastille restart folsom
  [folsom]:
  folsom: removed
  [folsom]:
  folsom: created
--- a/docs/chapters/subcommands/start.rst
+++ b/docs/chapters/subcommands/start.rst
@@ -0,0 +1,10 @@
 start
 =====
 To start a jail you can use the `bastille start` command.
 .. code-block:: shell
  ishmael ~ # bastille start folsom
  [folsom]:
  folsom: created
--- a/docs/chapters/subcommands/stop.rst
+++ b/docs/chapters/subcommands/stop.rst
@@ -0,0 +1,10 @@
 stop
 ====
 To stop a jail you can use the `bastille stop` command.
 .. code-block:: shell
  ishmael ~ # bastille stop folsom
  [folsom]:
  folsom: removed
--- a/docs/chapters/subcommands/sysrc.rst
+++ b/docs/chapters/subcommands/sysrc.rst
@@ -0,0 +1,14 @@
 =====
 sysrc
 =====
 The `sysrc` sub-command allows for safely editing system configuration files.
 In jail terms, this allows us to toggle on/off services and options at startup.
 .. code-block:: shell
  ishmael ~ # bastille sysrc nginx nginx_enable="YES"
  [nginx]:
  nginx_enable: NO -> YES
 See `man sysrc(8)` for more info.
--- a/docs/chapters/subcommands/top.rst
+++ b/docs/chapters/subcommands/top.rst
@@ -0,0 +1,10 @@
 ===
 top
 ===
 This one runs `top` in that jail. 
 .. image:: ../../images/top.png
    :align: center
    :alt: bastille top jail
--- a/docs/chapters/subcommands/update.rst
+++ b/docs/chapters/subcommands/update.rst
@@ -0,0 +1,41 @@
 ======
 update
 ======
 The `update` command targets a release instead of a jail. Because every jail is
 based on a release, when the release is updated all the jails are automatically
 updated as well.
 If no updates are available, a message will be shown:
 .. code-block:: shell
  ishmael ~ # bastille update 11.2-RELEASE
  Looking up update.FreeBSD.org mirrors... 2 mirrors found.
  Fetching metadata signature for 11.2-RELEASE from update4.freebsd.org... done.
  Fetching metadata index... done.
  Inspecting system... done.
  Preparing to download files... done.
  No updates needed to update system to 11.2-RELEASE-p4.
  No updates are available to install.
 The older the release, however, the more updates will be available:
 .. code-block:: shell
  ishmael ~ # bastille update 10.4-RELEASE
  Looking up update.FreeBSD.org mirrors... 2 mirrors found.
  Fetching metadata signature for 10.4-RELEASE from update1.freebsd.org... done.
  Fetching metadata index... done.
  Fetching 2 metadata patches.. done.
  Applying metadata patches... done.
  Fetching 2 metadata files... done.
  Inspecting system... done.
  Preparing to download files... done.
  The following files will be added as part of updating to 10.4-RELEASE-p13:
  ...[snip]...
 To be safe, you may want to restart any jails that have been updated live.
--- a/docs/chapters/subcommands/upgrade.rst
+++ b/docs/chapters/subcommands/upgrade.rst
@@ -0,0 +1,11 @@
 =======
 upgrade
 =======
 This command lets you upgrade a release to a new release. Depending on the
 workflow this can be similar to a `bootstrap`.
 .. code-block:: shell
  ishmael ~ # bastille upgrade 11.2-RELEASE 12.0-RELEASE
--- a/docs/chapters/subcommands/verify.rst
+++ b/docs/chapters/subcommands/verify.rst
@@ -0,0 +1,21 @@
 ======
 verify
 ======
 This command scans a bootstrapped release and validates that everything looks
 in order. This is not a 100% comprehensive check, but it compares the release
 against a "known good" index.
 If you see errors or issues here, consider deleting and re-bootstrapping
 the release.
 .. code-block:: shell
  ishmael ~ # bastille verify 11.2-RELEASE
  Looking up update.FreeBSD.org mirrors... 2 mirrors found.
  Fetching metadata signature for 11.2-RELEASE from update1.freebsd.org... done.
  Fetching metadata index... done.
  Fetching 1 metadata patches. done.
  Applying metadata patches... done.
  Fetching 1 metadata files... done.
  Inspecting system... done.
--- a/docs/chapters/targeting.rst
+++ b/docs/chapters/targeting.rst
@@ -0,0 +1,69 @@
 =========
 Targeting
 =========
 Bastille uses a `command-target-args` syntax, meaning that each command
 requires a target. Targets are usually jails, but can also be releases.
 Targeting a jail is done by providing the exact jail name.
 Targeting a release is done by providing the release name. (Note: do note
 include the `-pX` point-release version.)
 Bastille includes a pre-defined keyword ALL to target all running jails.
 In the future I would like to support more options, including globbing, lists
 and regular-expressions.
 Examples: Jails
 ===============
 .. code-block:: shell
  ishmael ~ # bastille ...
 +-----------+--------+------------------+-------------------------------------------------------------+
 | command   | target | args             | description                                                 |
 +===========+========+==================+=============================================================+
 | cmd       | ALL    | 'sockstat -4'    | execute `sockstat -4` in ALL jails (listening ip4 sockets)  |
 +-----------+--------+-----+------------+-------------------------------------------------------------+ 
 | console   | mariadb02    | ---        | console (shell) access to mariadb02                         |
 +----+------+----+---------+------------+--------------+----------------------------------------------+ 
 | pkg       | web01  | 'install nginx'  | install nginx package in web01 jail                         |
 +-----------+--------+------------------+-------------------------------------------------------------+
 | pkg       | ALL    | upgrade          | upgrade packages in ALL jails                               |
 +-----------+--------+------------------+-------------------------------------------------------------+ 
 | pkg       | ALL    | audit            | (CVE) audit packages in ALL jails                           |
 +-----------+--------+------------------+-------------------------------------------------------------+ 
 | sysrc     | web01  | nginx_enable=YES | execute `sysrc nginx_enable=YES` in web01 jail              |
 +-----------+--------+------------------+-------------------------------------------------------------+ 
 | template  | ALL    | base             | apply `base` template to ALL jails                          |
 +-----------+--------+------------------+-------------------------------------------------------------+ 
 | start     | web02  | ---              | start web02 jail                                            |
 +-----------+--------+-----+------------+-------------------------------------------------------------+ 
 | cp | bastion03 | /tmp/resolv.conf-cf etc/resolv.conf | copy host-path to jail-path in bastion03     |
 +----+------+----+---+------------------+--------------+----------------------------------------------+ 
 | create    | folsom | 12.0-RELEASE 10.10.10.10        | create v12.0 jail named `folsom` with IP     |
 +-----------+--------+------------------+--------------+----------------------------------------------+
 Examples: Releases
 ==================
 .. code-block:: shell
  ishmael ~ # bastille ...
 +-----------+--------------+--------------+-------------------------------------------------------------+
 | command   | target       | args         | description                                                 |
 +===========+==============+==============+=============================================================+
 | bootstrap | 12.0-RELEASE | ---          | bootstrap 12.0-RELEASE release                              |
 +-----------+--------------+--------------+-------------------------------------------------------------+ 
 | update    | 11.2-RELEASE | ---          | update 11.2-RELEASE release                                 |
 +-----------+--------------+--------------+-------------------------------------------------------------+ 
 | upgrade   | 11.1-RELEASE | 11.2-RELEASE | update 11.2-RELEASE release                                 |
 +-----------+--------------+--------------+-------------------------------------------------------------+ 
 | verify    | 11.2-RELEASE | ---          | update 11.2-RELEASE release                                 |
 +-----------+--------------+--------------+-------------------------------------------------------------+ 
--- a/docs/chapters/template.rst
+++ b/docs/chapters/template.rst
@@ -0,0 +1,132 @@
 ========
 Template
 ========
 Bastille supports a templating system allowing you to apply files, pkgs and
 execute commands inside the jail automatically.
 Currently supported template hooks are: `PRE`, `CONFIG`, `PKG`, `SYSRC`, `CMD`.
 Planned template hooks include: `FSTAB`, `PF`
 Templates are created in `${bastille_prefix}/templates` and can leverage any of
 the template hooks. Simply create a new directory named after the template. eg;
 .. code-block:: shell
  mkdir -p /usr/local/bastille/templates/base
 To leverage a template hook, create an UPPERCASE file in the root of the
 template directory named after the hook you want to execute. eg;
 .. code-block:: shell
  echo "zsh vim-console git-lite htop" > /usr/local/bastille/templates/base/PKG
  echo "/usr/bin/chsh -s /usr/local/bin/zsh" > /usr/local/bastille/templates/base/CMD
  echo "etc root usr" > /usr/local/bastille/templates/base/CONFIG
 Template hooks are executed in specific order and require specific syntax to
 work as expected. This table outlines those requirements:
 +---------+------------------+--------------------------------------+
 | HOOK    | format           | example                              |
 +=========+==================+======================================+
 | PRE/CMD | /bin/sh command  | /usr/bin/chsh -s /usr/local/bin/zsh  |
 +---------+------------------+--------------------------------------+
 | CONFIG  | path             | etc root usr                         |
 +---------+------------------+--------------------------------------+
 | PKG     | port/pkg name(s) | vim-console zsh git-lite tree htop   |
 +---------+------------------+--------------------------------------+
 | SYSRC   | sysrc command(s) | nginx_enable=YES                     |
 +---------+------------------+--------------------------------------+
 Note: SYSRC requires NO quotes or that quotes (`"`) be escaped. ie; `\"`)
 In addition to supporting template hooks, Bastille supports overlaying
 files into the jail. This is done by placing the files in their full path,
 using the template directory as "/".
 An example here may help. Think of `/usr/local/bastille/templates/base`,
 our example template, as the root of our filesystem overlay. If you create
 an `etc/hosts` or `etc/resolv.conf` *inside* the base template directory,
 these can be overlayed into your jail.
 Note: due to the way FreeBSD segregates user-space, the majority of your
 overlayed template files will be in `usr/local`. The few general
 exceptions are the `etc/hosts`, `etc/resolv.conf`, and
 `etc/rc.conf.local`.
 After populating `usr/local/` with custom config files that your jail will
 use, be sure to include `usr` in the template CONFIG definition. eg;
 .. code-block:: shell
  echo "etc usr" > /usr/local/bastille/templates/base/CONFIG
 The above example "etc usr" will include anything under "etc" and "usr"
 inside the template. You do not need to list individual files. Just
 include the top-level directory name.
 Applying Templates
 ------------------
 Jails must be running to apply templates.
 Bastille includes a `template` command. This command requires a target and a
 template name. As covered in the previous section, template names correspond to
 directory names in the `bastille/templates` directory.
 .. code-block:: shell
  ishmael ~ # bastille template ALL base
  [cdn]:
  Copying files...
  Copy complete.
  Installing packages.
  pkg already bootstrapped at /usr/local/sbin/pkg
  vulnxml file up-to-date
  0 problem(s) in the installed packages found.
  Updating iniquity.io repository catalogue...
  [cdn] Fetching meta.txz: 100%    560 B   0.6kB/s    00:01
  [cdn] Fetching packagesite.txz: 100%  121 KiB 124.3kB/s    00:01
  Processing entries: 100%
  iniquity.io repository update completed. 499 packages processed.
  All repositories are up to date.
  Checking integrity... done (0 conflicting)
  The most recent version of packages are already installed
  Updating services.
  cron_flags: -J 60 -> -J 60
  sendmail_enable: NONE -> NONE
  syslogd_flags: -ss -> -ss
  Executing final command(s).
  chsh: user information updated
  Template Complete.
  [poudriere]:
  Copying files...
  Copy complete.
  Installing packages.
  pkg already bootstrapped at /usr/local/sbin/pkg
  vulnxml file up-to-date
  0 problem(s) in the installed packages found.
  Updating cdn.iniquity.io repository catalogue...
  [poudriere] Fetching meta.txz: 100%    560 B   0.6kB/s    00:01
  [poudriere] Fetching packagesite.txz: 100%  121 KiB 124.3kB/s    00:01
  Processing entries: 100%
  cdn.iniquity.io repository update completed. 499 packages processed.
  Updating iniquity.io repository catalogue...
  [poudriere] Fetching meta.txz: 100%    560 B   0.6kB/s    00:01
  [poudriere] Fetching packagesite.txz: 100%  121 KiB 124.3kB/s    00:01
  Processing entries: 100%
  iniquity.io repository update completed. 499 packages processed.
  All repositories are up to date.
  Checking integrity... done (0 conflicting)
  The most recent version of packages are already installed
  Updating services.
  cron_flags: -J 60 -> -J 60
  sendmail_enable: NONE -> NONE
  syslogd_flags: -ss -> -ss
  Executing final command(s).
  chsh: user information updated
  Template Complete.
--- a/docs/chapters/usage.rst
+++ b/docs/chapters/usage.rst
@@ -0,0 +1,32 @@
 =====
 Usage
 =====
 .. code-block:: shell
    ishmael ~ # bastille -h
    Usage:
      bastille command [ALL|glob] [args]
    Available Commands:
      bootstrap   Bootstrap a FreeBSD release for jail base.
      cmd         Execute arbitrary command on targeted jail(s).
      console     Console into a running jail.
      cp          cp(1) files from host to targeted jail(s).
      create      Create a new jail.
      destroy     Destroy a stopped jail.
      help        Help about any command
      htop        Interactive process viewer (requires htop).
      list        List jails (running and stopped).
      pkg         Manipulate binary packages within targeted jail(s). See pkg(8).
      restart     Restart a running jail.
      start       Start a stopped jail.
      stop        Stop a running jail.
      sysrc       Safely edit rc files within targeted jail(s).
      template    Apply Bastille template to running jail(s).
      top         Display and update information about the top(1) cpu processes.
      update      Update jail base -pX release.
      upgrade     Upgrade jail release to X.Y-RELEASE.
    Use "bastille -v|--version" for version information.
    Use "bastille command -h|--help" for more information about a command.
--- a/docs/conf.py
+++ b/docs/conf.py
@@ -1,21 +1,3 @@
 # -*- coding: utf-8 -*-
 #
 # Configuration file for the Sphinx documentation builder.
 #
 # This file does only contain a selection of the most common options. For a
 # full list see the documentation:
 # http://www.sphinx-doc.org/en/master/config
 # -- Path setup --------------------------------------------------------------
 # If extensions (or modules to document with autodoc) are in another directory,
 # add these directories to sys.path here. If the directory is relative to the
 # documentation root, use os.path.abspath to make it absolute, like shown here.
 #
 # import os
 # import sys
 # sys.path.insert(0, os.path.abspath('.'))
 import os
 on_rtd = os.environ.get('READTHEDOCS') == 'True'
 if on_rtd:
@@ -26,128 +8,55 @@ else:
 # -- Project information -----------------------------------------------------
 project = 'Bastille'
-copyright = '2018, Christer Edwards'
+copyright = '2018-2019, Christer Edwards'
 author = 'Christer Edwards'
 # The short X.Y version
-version = '0.3'
+version = '0.3.20181124'
 # The full version, including alpha/beta/rc tags
-release = 'beta'
+release = '0.3.20181124-beta'
 # -- General configuration ---------------------------------------------------
 # If your documentation needs a minimal Sphinx version, state it here.
 #
 # needs_sphinx = '1.0'
 # Add any Sphinx extension module names here, as strings. They can be
 # extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
 # ones.
 extensions = [
 ]
 # Add any paths that contain templates here, relative to this directory.
 templates_path = ['_templates']
-# The suffix(es) of source filenames.
+source_suffix = ['.rst', '.md']
 # You can specify multiple suffix as a list of string:
 #
 # source_suffix = ['.rst', '.md']
 source_suffix = '.md'
 from recommonmark.parser import CommonMarkParser
 source_parsers = {
    '.md': CommonMarkParser,
 }
-# The master toctree document.
+master_doc = 'index'
 master_doc = 'README'
 # The language for content autogenerated by Sphinx. Refer to documentation
 # for a list of supported languages.
 #
 # This is also used if you do content translation via gettext catalogs.
 # Usually you set "language" from the command line for these cases.
 language = None
 # List of patterns, relative to source directory, that match files and
 # directories to ignore when looking for source files.
 # This pattern also affects html_static_path and html_extra_path.
 exclude_patterns = ['_build', 'Thumbs.db', '.DS_Store']
 # The name of the Pygments (syntax highlighting) style to use.
 pygments_style = None
 # -- Options for HTML output -------------------------------------------------
 # The theme to use for HTML and HTML Help pages.  See the documentation for
 # a list of builtin themes.
 #
 ##html_theme = 'alabaster'
 # Theme options are theme-specific and customize the look and feel of a theme
 # further.  For a list of options available for each theme, see the
 # documentation.
 #
 # html_theme_options = {}
 # Add any paths that contain custom static files (such as style sheets) here,
 # relative to this directory. They are copied after the builtin static files,
 # so a file named "default.css" will overwrite the builtin "default.css".
 html_static_path = ['_static']
 # Custom sidebar templates, must be a dictionary that maps document names
 # to template names.
 #
 # The default sidebars (for documents that don't match any pattern) are
 # defined by theme itself.  Builtin themes are using these templates by
 # default: ``['localtoc.html', 'relations.html', 'sourcelink.html',
 # 'searchbox.html']``.
 #
 # html_sidebars = {}
 # -- Options for HTMLHelp output ---------------------------------------------
 # Output file base name for HTML help builder.
 htmlhelp_basename = 'Bastilledoc'
 # -- Options for LaTeX output ------------------------------------------------
 latex_elements = {
    # The paper size ('letterpaper' or 'a4paper').
    #
    # 'papersize': 'letterpaper',
    # The font size ('10pt', '11pt' or '12pt').
    #
    # 'pointsize': '10pt',
    # Additional stuff for the LaTeX preamble.
    #
    # 'preamble': '',
    # Latex figure (float) alignment
    #
    # 'figure_align': 'htbp',
 }
 # Grouping the document tree into LaTeX files. List of tuples
 # (source start file, target name, title,
 #  author, documentclass [howto, manual, or own class]).
 latex_documents = [
    (master_doc, 'Bastille.tex', 'Bastille Documentation',
     'Christer Edwards', 'manual'),
 ]
 # -- Options for manual page output ------------------------------------------
 # One entry per manual page. List of tuples
 # (source start file, name, description, authors, manual section).
 man_pages = [
    (master_doc, 'bastille', 'Bastille Documentation',
     [author], 1)
@@ -156,30 +65,15 @@ man_pages = [
 # -- Options for Texinfo output ----------------------------------------------
 # Grouping the document tree into Texinfo files. List of tuples
 # (source start file, target name, title, author,
 #  dir menu entry, description, category)
 texinfo_documents = [
    (master_doc, 'Bastille', 'Bastille Documentation',
-     author, 'Bastille', 'One line description of project.',
+     author, 'Bastille', 'Bastille is a jail automation framework that allows you to quickly and easily create and manage FreeBSD jails.',
     'Miscellaneous'),
 ]
 # -- Options for Epub output -------------------------------------------------
 # Bibliographic Dublin Core info.
 epub_title = project
 # The unique identifier of the text. This can be a ISBN number
 # or the project homepage.
 #
 # epub_identifier = ''
 # A unique identification for the text.
 #
 # epub_uid = ''
 # A list of files that should not be packed into the epub file.
 epub_exclude_files = ['search.html']
--- a/docs/copyright.rst
+++ b/docs/copyright.rst
@@ -0,0 +1,8 @@
 =========
 Copyright
 =========
 This content is copyright Christer Edwards. All rights reserved.
 Duplication of this content without the express written permission of the
 author is not permitted.
--- a/docs/images/bastillebsd-twitter-poll.png
+++ b/docs/images/bastillebsd-twitter-poll.png
--- a/docs/images/htop.png
+++ b/docs/images/htop.png
--- a/docs/images/top.png
+++ b/docs/images/top.png
--- a/docs/index.rst
+++ b/docs/index.rst
@@ -0,0 +1,23 @@
 Bastille
 ========
 Welcome to the official Bastille documentation. This collection of documents
 will outline installation and usage of Bastille.
 The latest version of this documentation can always be found at
 https://docs.bastillebsd.org.
 .. toctree::
   :maxdepth: 2
   :caption: Contents:
   chapters/installation
   chapters/networking
   chapters/usage
   chapters/targeting
   chapters/subcommands/index
   chapters/template
   copyright
 Note: this documentation is included with the source code in `docs`.
--- a/docs/index.rst.sample
+++ b/docs/index.rst.sample
@@ -1,20 +0,0 @@
 .. Bastille documentation master file, created by
   sphinx-quickstart on Tue Nov 20 20:48:22 2018.
   You can adapt this file completely to your liking, but it should at least
   contain the root `toctree` directive.
 Welcome to Bastille's documentation!
 ====================================
 .. toctree::
   :maxdepth: 2
   :caption: Contents:
 Indices and tables
 ==================
 * :ref:`genindex`
 * :ref:`modindex`
 * :ref:`search`
--- a/usr/local/bin/bastille
+++ b/usr/local/bin/bastille
@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
@@ -32,7 +32,7 @@
 . /usr/local/etc/bastille/bastille.conf
 ## version
-BASTILLE_VERSION="0.3.20181124"
+BASTILLE_VERSION="0.3.20190204"
 usage() {
    cat << EOF
@@ -88,16 +88,16 @@ esac
 # Filter out all non-commands
 case "${CMD}" in
 cmd|cp|create|destroy|list|pkg|restart|start|stop|sysrc|template|verify)
-	;;
+    ;;
 update|upgrade)
-	;;
+    ;;
 console|bootstrap|htop|top)
    ;;
 bootstrap|update|upgrade)
-	;;
+    ;;
 *)
-	usage
+usage
-	;;
+    ;;
 esac
 SCRIPTPATH="${bastille_sharedir}/${CMD}.sh"
--- a/usr/local/etc/bastille/bastille.conf
+++ b/usr/local/etc/bastille/bastille.conf
@@ -1,11 +1,30 @@
 #####################
 ## [ BastilleBSD ] ##
 #####################
 ## default paths
-bastille_prefix=/usr/local/bastille
+bastille_prefix=/usr/local/bastille                     ## default: "/usr/local/bastille"
-bastille_cachedir=${bastille_prefix}/cache
+bastille_cachedir=${bastille_prefix}/cache              ## default: ${bastille_prefix}/cache
-bastille_jailsdir=${bastille_prefix}/jails
+bastille_jailsdir=${bastille_prefix}/jails              ## default: ${bastille_prefix}/jails
-bastille_logsdir=${bastille_prefix}/logs
+bastille_logsdir=${bastille_prefix}/logs                ## default: ${bastille_prefix}/logs
-bastille_releasesdir=${bastille_prefix}/releases
+bastille_releasesdir=${bastille_prefix}/releases        ## default: ${bastille_prefix}/releases
-bastille_templatesdir=${bastille_prefix}/templates
+bastille_templatesdir=${bastille_prefix}/templates      ## default: ${bastille_prefix}/templates
-bastille_sharedir=/usr/local/share/bastille
+
 ## bastille scripts directory (assumed by bastille pkg)
 bastille_sharedir=/usr/local/share/bastille             ## default: "/usr/local/share/bastille"
 ## bootstrap archives (base, lib32, ports, src, test)
 bastille_bootstrap_archives="base"                      ## default: "base"
 ## default timezone
 bastille_tzdata="etc/UTC"                               ## default: "etc/UTC"
 ## default jail resolv.conf
 bastille_resolv_conf="/etc/resolv.conf"                 ## default: "/etc/resolv.conf"
 ## ZFS options
 bastille_zfs_enable=""                               ## default: ""
 bastille_zfs_zpool=""                              ## default: ""
 bastille_zfs_prefix="bastille"                          ## default: "${bastille_zfs_zpool}/bastille"
 bastille_zfs_mountpoint=${bastille_prefix}              ## default: "${bastille_prefix}"
 bastille_zfs_options="-o compress=lz4 -o atime=off"     ## default: "-o compress=lz4 -o atime=off"
--- a/usr/local/etc/rc.d/bastille
+++ b/usr/local/etc/rc.d/bastille
@@ -1,6 +1,6 @@
 #!/bin/sh
-# $FreeBSD: $
+# Bastille jail startup script
 #
 # PROVIDE: bastille
 # REQUIRE: LOGIN
@@ -10,7 +10,7 @@
 #
 # bastille_enable (bool):          Set to NO by default.
 #               Set it to YES to enable bastille.
-# bastille_list (string):        Set to "" by default.
+# bastille_list (string):        Set to "ALL" by default.
 #               Space separated list of jails to start.
 #
@@ -19,27 +19,43 @@
 name=bastille
 rcvar=${name}_enable
 command="/usr/local/bin/${name}"
 start_cmd="${name}_start"
 stop_cmd="${name}_stop"
 : ${bastille_enable:=NO}
 : ${bastille_list:="ALL"}
 command=/usr/local/bin/${name}
 start_cmd="bastille_start"
 stop_cmd="bastille_stop"
 restart_cmd="bastille_stop && bastille_start"
 bastille_start()
 {
    if [ ! -n "${bastille_list}" ]; then
        echo "${bastille_list} is undefined"
        return 1
    fi
    local _jail
    for _jail in ${bastille_list}; do
        echo "Starting Bastille Jail: ${_jail}"
        ${command} start ${_jail}
    done
 }
 bastille_stop()
 {
    if [ ! -n "${bastille_list}" ]; then
        echo "${bastille_list} is undefined"
        return 1
    fi
    local _jail
    for _jail in ${bastille_list}; do
        echo "Stopping Bastille Jail: ${_jail}"
        ${command} stop ${_jail}
    done
 }
 load_rc_config ${name}
-run_rc_command "$@"
+run_rc_command "$1"
--- a/usr/local/share/bastille/bootstrap.sh
+++ b/usr/local/share/bastille/bootstrap.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
@@ -32,7 +32,7 @@
 . /usr/local/etc/bastille/bastille.conf
 usage() {
-    echo -e "${COLOR_RED}Usage: bastille bootstrap release.${COLOR_RESET}"
+    echo -e "${COLOR_RED}Usage: bastille bootstrap [release|template].${COLOR_RESET}"
    exit 1
 }
@@ -43,108 +43,216 @@ help|-h|--help)
    ;;
 esac
-RELEASE=$1
+bootstrap_directories() {
 bootstrap() {
    ## ensure required directories are in place
-    if [ ! -d ${bastille_jailsdir} ]; then
+
-        mkdir -p ${bastille_jailsdir}
+    ## ${bastille_prefix}
-    fi
+    if [ ! -d "${bastille_prefix}" ]; then
-    if [ ! -d ${bastille_logsdir} ]; then
+        if [ "${bastille_zfs_enable}" = "YES" ];then
-        mkdir -p ${bastille_logsdir}
+            if [ ! -z "${bastille_zfs_zpool}" ]; then
-    fi
+                zfs create ${bastille_zfs_options} -o mountpoint=${bastille_prefix} ${bastille_zfs_zpool}/${bastille_zfs_prefix}
-    if [ ! -d ${bastille_templatesdir} ]; then
+            fi
-        mkdir -p ${bastille_templatesdir}
+        else
-    fi
+            mkdir -p "${bastille_prefix}"
-    if [ ! -d "${bastille_cachedir}/${RELEASE}" ]; then
+        fi
        mkdir -p "${bastille_cachedir}/${RELEASE}"
    fi
-    ### create $bastille_base/release/$release directory
+    ## ${bastille_cachedir}
-    ### fetch $release/base.txz -o $bastille_base/cache/$release/base.txz
+    if [ ! -d "${bastille_cachedir}" ]; then
-    ### fetch $release/lib32.txz -o $bastille_base/cache/$release/lib32.txz
+        if [ "${bastille_zfs_enable}" = "YES" ]; then
-    ### extract $release/base.txz to $bastille_base/release/$release
+            if [ ! -z "${bastille_zfs_zpool}" ]; then
-    ### extract $release/lib32.txz to $bastille_base/release/$release
+                zfs create ${bastille_zfs_options} -o mountpoint=${bastille_cachedir} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache
-    if [ ! -d "${bastille_releasesdir}/${RELEASE}" ]; then
+                mkdir -p ${bastille_cachedir}/${RELEASE}
-        mkdir -p "${bastille_releasesdir}/${RELEASE}"
+            fi
-        sh ${bastille_sharedir}/freebsd_dist_fetch.sh -r ${RELEASE} base lib32
+        else
            mkdir -p "${bastille_cachedir}"
        fi
    fi
-        echo
+    ## ${bastille_jailsdir}
-        echo -e "${COLOR_GREEN}Extracting FreeBSD ${RELEASE} base.txz.${COLOR_RESET}"
+    if [ ! -d "${bastille_jailsdir}" ]; then
-        /usr/bin/tar -C "${bastille_releasesdir}/${RELEASE}" -xf "${bastille_cachedir}/${RELEASE}/base.txz"
+        if [ "${bastille_zfs_enable}" = "YES" ]; then
            if [ ! -z "${bastille_zfs_zpool}" ]; then
                zfs create ${bastille_zfs_options} -o mountpoint=${bastille_jailsdir} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails
            fi
        else
            mkdir -p "${bastille_jailsdir}"
        fi
    fi
-        echo -e "${COLOR_GREEN}Extracting FreeBSD ${RELEASE} lib32.txz.${COLOR_RESET}"
+    ## ${bastille_logsdir}
-        /usr/bin/tar -C "${bastille_releasesdir}/${RELEASE}" -xf "${bastille_cachedir}/${RELEASE}/lib32.txz"
+    if [ ! -d "${bastille_logsdir}" ]; then
        if [ "${bastille_zfs_enable}" = "YES" ]; then
            if [ ! -z "${bastille_zfs_zpool}" ]; then
                zfs create ${bastille_zfs_options} -o mountpoint=${bastille_logsdir} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/logs
            fi
        else
            mkdir -p "${bastille_logsdir}"
        fi
    fi
-        echo -e "${COLOR_GREEN}Bootstrap successful.${COLOR_RESET}"
+    ## ${bastille_templatesdir}
-        echo -e "${COLOR_GREEN}See 'bastille --help' for available commands.${COLOR_RESET}"
+    if [ ! -d "${bastille_templatesdir}" ]; then
-        echo
+        if [ "${bastille_zfs_enable}" = "YES" ]; then
-    else
+            if [ ! -z "${bastille_zfs_zpool}" ]; then
-        echo -e "${COLOR_RED}Bootstrap appears complete.${COLOR_RESET}"
+                zfs create ${bastille_zfs_options} -o mountpoint=${bastille_templatesdir} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/templates
-        exit 1
+            fi
        else
            mkdir -p "${bastille_templatesdir}"
        fi
    fi
    ## ${bastille_releasesdir}
    if [ ! -d "${bastille_releasesdir}" ]; then
        if [ "${bastille_zfs_enable}" = "YES" ]; then
            if [ ! -z "${bastille_zfs_zpool}" ]; then
                zfs create ${bastille_zfs_options} -o mountpoint=${bastille_releasesdir} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases
                mkdir -p "${bastille_releasesdir}/${RELEASE}"
 	        fi
        else
            mkdir -p "${bastille_releasesdir}"
        fi
    fi
 }
 bootstrap_release() {
    ## if release exists, quit
    if [ -f "${bastille_releasesdir}/${RELEASE}/COPYRIGHT" ]; then
        echo -e "${COLOR_RED}Bootstrap appears complete.${COLOR_RESET}"
        exit 1
    fi
    for _archive in ${bastille_bootstrap_archives}; do
        if [ -f "${bastille_cachedir}/${RELEASE}/${_archive}.txz" ]; then
            echo -e "${COLOR_GREEN}Extracting FreeBSD ${RELEASE} ${_archive}.txz.${COLOR_RESET}"
            /usr/bin/tar -C "${bastille_releasesdir}/${RELEASE}" -xf "${bastille_cachedir}/${RELEASE}/${_archive}.txz"
        fi
    done
    for _archive in ${bastille_bootstrap_archives}; do
        if [ ! -f "${bastille_cachedir}/${RELEASE}/${_archive}.txz" ]; then
            fetch ${UPSTREAM_URL}/${_archive}.txz -o ${bastille_cachedir}/${RELEASE}/${_archive}.txz
 	fi
        if [ -f "${bastille_cachedir}/${RELEASE}/${_archive}.txz" ]; then
            echo -e "${COLOR_GREEN}Extracting FreeBSD ${RELEASE} ${_archive}.txz.${COLOR_RESET}"
            /usr/bin/tar -C "${bastille_releasesdir}/${RELEASE}" -xf "${bastille_cachedir}/${RELEASE}/${_archive}.txz"
 	fi
    done
    echo
    echo -e "${COLOR_GREEN}Bootstrap successful.${COLOR_RESET}"
    echo -e "${COLOR_GREEN}See 'bastille --help' for available commands.${COLOR_RESET}"
    echo
 }
 bootstrap_template() {
    ## define basic variables
    _url=${BASTILLE_TEMPLATE_URL}
    _user=${BASTILLE_TEMPLATE_USER}
    _repo=${BASTILLE_TEMPLATE_REPO}
    _template=${bastille_templatesdir}/${_user}/${_repo}
    ## support for non-git
    if [ ! -x /usr/local/bin/git ]; then
 	echo -e "${COLOR_RED}We're gonna have to use fetch. Strap in.${COLOR_RESET}"
 	echo -e "${COLOR_RED}Not yet implemented...${COLOR_RESET}"
 	exit 1
    fi
    ## support for git
    if [ -x /usr/local/bin/git ]; then
        if [ ! -d "${_template}/.git" ]; then
            /usr/local/bin/git clone "${_url}" "${_template}" ||\
                echo -e "${COLOR_RED}Clone unsuccessful.${COLOR_RESET}"
                echo
        elif [ -d "${_template}/.git" ]; then
            cd ${_template} &&
            /usr/local/bin/git pull ||\
                echo -e "${COLOR_RED}Template update unsuccessful.${COLOR_RESET}"
                echo
        fi
    fi
    ## template validation
    _hook_validate=0
    for _hook in PRE FSTAB PF PKG SYSRC CMD; do
        if [ -s ${_template}/${_hook} ]; then
            _hook_validate=$((_hook_validate+1))
            echo -e "${COLOR_GREEN}Detected ${_hook} hook.${COLOR_RESET}"
            echo -e "${COLOR_GREEN}[${_hook}]:${COLOR_RESET}"
            cat "${_template}/${_hook}"
            echo
        fi
    done
    # template overlay
    if [ -s ${_template}/CONFIG ]; then
        _hook_validate=$((_hook_validate+1))
        echo -e "${COLOR_GREEN}Detected CONFIG hook.${COLOR_RESET}"
        while read _dir; do
            echo -e "${COLOR_GREEN}[${_dir}]:${COLOR_RESET}"
            tree -a ${_template}/${_dir}
        done < ${_template}/CONFIG
        echo
    fi
    ## remove bad templates
    if [ ${_hook_validate} -lt 1 ]; then
        echo -e "${COLOR_GREEN}Template validation failed.${COLOR_RESET}"
        echo -e "${COLOR_GREEN}Deleting template.${COLOR_RESET}"
        rm -rf ${_template}
 	exit 1
    fi
    ## if validated; ready to use 
    if [ ${_hook_validate} -gt 0 ]; then
        echo -e "${COLOR_GREEN}Template ready to use.${COLOR_RESET}"
        echo
    fi
 }
 #Usage: bastille bootstrap [release|template].${COLOR_RESET}"
 HW_MACHINE=$(sysctl hw.machine | awk '{ print $2 }')
 HW_MACHINE_ARCH=$(sysctl hw.machine_arch | awk '{ print $2 }')
 # Filter sane release names
-case "${RELEASE}" in
+case "${1}" in
 10.1-RELEASE)
    bootstrap
    echo -e "${COLOR_RED}WARNING: FreeBSD 10.1-RELEASE HAS PASSED ITS END-OF-LIFE DATE.${COLOR_RESET}"
 	;;
 10.2-RELEASE)
    bootstrap
    echo -e "${COLOR_RED}WARNING: FreeBSD 10.2-RELEASE HAS PASSED ITS END-OF-LIFE DATE.${COLOR_RESET}"
 	;;
 10.3-RELEASE)
    bootstrap
    echo -e "${COLOR_RED}WARNING: FreeBSD 10.3-RELEASE HAS PASSED ITS END-OF-LIFE DATE.${COLOR_RESET}"
 	;;
 10.4-RELEASE)
    bootstrap
    echo -e "${COLOR_RED}WARNING: FreeBSD 10.4-RELEASE HAS PASSED ITS END-OF-LIFE DATE.${COLOR_RESET}"
 	;;
 11.0-RELEASE)
    bootstrap
    echo -e "${COLOR_RED}WARNING: FreeBSD 11.0-RELEASE HAS PASSED ITS END-OF-LIFE DATE.${COLOR_RESET}"
 	;;
 11.1-RELEASE)
    bootstrap
    echo -e "${COLOR_RED}WARNING: FreeBSD 11.1-RELEASE HAS PASSED ITS END-OF-LIFE DATE.${COLOR_RESET}"
 	;;
 11.2-RELEASE)
-    bootstrap
+    RELEASE="${1}"
-	;;
+    UPSTREAM_URL="http://ftp.freebsd.org/pub/FreeBSD/releases/${HW_MACHINE}/${HW_MACHINE_ARCH}/11.2-RELEASE/"
    bootstrap_directories
    bootstrap_release
    ;;
 12.0-RELEASE)
-    bootstrap
+    RELEASE="${1}"
-	;;
+    UPSTREAM_URL="http://ftp.freebsd.org/pub/FreeBSD/releases/${HW_MACHINE}/${HW_MACHINE_ARCH}/12.0-RELEASE/"
-12.0-BETA1)
+    bootstrap_directories
-    bootstrap
+    bootstrap_release
-    echo -e "${COLOR_RED}BETA releases are completely untested.${COLOR_RESET}"
+    ;;
-	;;
+11-stable-LAST)
-12.0-BETA2)
+    RELEASE="${1}"
-    bootstrap
+    UPSTREAM_URL="https://installer.hardenedbsd.org/pub/HardenedBSD/releases/${HW_MACHINE}/${HW_MACHINE_ARCH}/hardenedbsd-11-stable-LAST/"
-    echo -e "${COLOR_RED}BETA releases are completely untested.${COLOR_RESET}"
+    bootstrap_directories
-	;;
+    bootstrap_release
-12.0-BETA3)
+    ;;
-    bootstrap
+12-stable-LAST)
-    echo -e "${COLOR_RED}BETA releases are completely untested.${COLOR_RESET}"
+    RELEASE="${1}"
-	;;
+    UPSTREAM_URL="https://installer.hardenedbsd.org/pub/HardenedBSD/releases/${HW_MACHINE}/${HW_MACHINE_ARCH}/hardenedbsd-12-stable-LAST/"
-12.0-BETA4)
+    bootstrap_directories
-    bootstrap
+    bootstrap_release
-    echo -e "${COLOR_RED}BETA releases are completely untested.${COLOR_RESET}"
+    ;;
-	;;
+http?://github.com/*/*)
-12.0-RC1)
+    BASTILLE_TEMPLATE_URL=${1}
-    bootstrap
+    BASTILLE_TEMPLATE_USER=$(echo "${1}" | awk -F / '{ print $4 }')
-    echo -e "${COLOR_RED}RC releases are completely untested.${COLOR_RESET}"
+    BASTILLE_TEMPLATE_REPO=$(echo "${1}" | awk -F / '{ print $5 }')
-	;;
+    echo -e "${COLOR_GREEN}Template: ${1}${COLOR_RESET}"
-12.0-RC2)
+    echo
-    bootstrap
+    bootstrap_directories
-    echo -e "${COLOR_RED}RC releases are completely untested.${COLOR_RESET}"
+    bootstrap_template
-	;;
+    ;;
 12.0-RC3)
    bootstrap
    echo -e "${COLOR_RED}RC releases are completely untested.${COLOR_RESET}"
 	;;
 *)
    usage
    ;;
--- a/usr/local/share/bastille/cmd.sh
+++ b/usr/local/share/bastille/cmd.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
--- a/usr/local/share/bastille/console.sh
+++ b/usr/local/share/bastille/console.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
--- a/usr/local/share/bastille/cp.sh
+++ b/usr/local/share/bastille/cp.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
--- a/usr/local/share/bastille/create.sh
+++ b/usr/local/share/bastille/create.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
@@ -41,6 +41,7 @@ running_jail() {
 }
 validate_ip() {
    local IFS
    ip=${IP}
    if expr "$ip" : '[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*$' >/dev/null; then
@@ -65,9 +66,19 @@ create_jail() {
    bastille_jail_fstab="${bastille_jailsdir}/${NAME}/fstab"  ## file
    bastille_jail_conf="${bastille_jailsdir}/${NAME}/jail.conf"  ## file
    bastille_jail_log="${bastille_logsdir}/${NAME}_console.log"  ## file
-    bastille_jail_rc_conf="${bastille_jailsdir}/${NAME}/root/etc/rc.conf.local" ## file
+    bastille_jail_rc_conf="${bastille_jailsdir}/${NAME}/root/etc/rc.conf" ## file
    bastille_jail_resolv_conf="${bastille_jailsdir}/${NAME}/root/etc/resolv.conf" ## file
    if [ ! -d "${bastille_jailsdir}/${NAME}" ]; then
        if [ "${bastille_zfs_enable}" = "YES" ]; then
            if [ ! -z "${bastille_zfs_zpool}" ]; then
                zfs create ${bastille_zfs_options} -o mountpoint=${bastille_jailsdir}/${NAME} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}
            fi
        else
            mkdir -p "${bastille_jailsdir}/${NAME}"
        fi
    fi
    if [ ! -d "${bastille_jail_base}" ]; then
        mkdir -p "${bastille_jail_base}"
        mkdir -p "${bastille_jail_path}/usr/home"
@@ -83,14 +94,14 @@ create_jail() {
    fi
    if [ ! -f "${bastille_jail_conf}" ]; then
-	echo -e "interface = lo1;\nhost.hostname = ${NAME};\nexec.consolelog =\
+echo -e "interface = lo1;\nhost.hostname = ${NAME};\nexec.consolelog = \
-	${bastille_jail_log};\npath = ${bastille_jail_path};\nip6 =\
+${bastille_jail_log};\npath = ${bastille_jail_path};\nip6 = \
-	disable;\nsecurelevel = 2;\ndevfs_ruleset = 4;\nenforce_statfs =\
+disable;\nsecurelevel = 2;\ndevfs_ruleset = 4;\nenforce_statfs = \
-	2;\nexec.start = '/bin/sh /etc/rc';\nexec.stop = '/bin/sh\
+2;\nexec.start = '/bin/sh /etc/rc';\nexec.stop = '/bin/sh \
-	/etc/rc.shutdown';\nexec.clean;\nmount.devfs;\nmount.fstab =\
+/etc/rc.shutdown';\nexec.clean;\nmount.devfs;\nmount.fstab = \
-	${bastille_jail_fstab};\n\n${NAME} {\n\tip4.addr = ${IP};\n}" >\
+${bastille_jail_fstab};\n\n${NAME} {\n\tip4.addr = ${IP};\n}" > \
-	${bastille_jail_conf}
+${bastille_jail_conf}
-    fi
+fi
    ## using relative paths here
    ## MAKE SURE WE'RE IN THE RIGHT PLACE
@@ -124,22 +135,25 @@ create_jail() {
    cp -a "${bastille_releasesdir}/${RELEASE}/usr/obj" "${bastille_jail_path}"
    if [ "${RELEASE}" == "11.2-RELEASE" ]; then cp -a "${bastille_releasesdir}/${RELEASE}/usr/tests" "${bastille_jail_path}"; fi
-    ## rc.conf.local
+    ## rc.conf
    ##  + syslogd_flags="-ss"
    ##  + sendmail_none="NONE"
    ##  + cron_flags="-J 60" ## cedwards 20181118
    ## resolv.conf
    if [ ! -f "${bastille_jail_rc_conf}" ]; then
-        echo -e "syslogd_flags=\"-ss\"\nsendmail_enable=\"NONE\"" > ${bastille_jail_rc_conf}
+        touch "${bastille_jail_rc_conf}"
-	echo -e "cron_flags=\"-J 60\"" >> ${bastille_jail_rc_conf}
+        /usr/sbin/sysrc -f "${bastille_jail_rc_conf}" syslogd_flags=-ss
        /usr/sbin/sysrc -f "${bastille_jail_rc_conf}" sendmail_enable=NONE
        /usr/sbin/sysrc -f "${bastille_jail_rc_conf}" cron_flags='-J 60'
        echo
    fi
    ## resolv.conf (default: copy from host)
    if [ ! -f "${bastille_jail_resolv_conf}" ]; then
-        echo -e "nameserver 1.1.1.1\nnameserver 1.0.0.1\noptions edns0 rotate" > ${bastille_jail_resolv_conf}
+        cp -L ${bastille_resolv_conf} ${bastille_jail_resolv_conf}
    fi
-    ## TZ: UTC
+    ## TZ: configurable (default: etc/UTC)
-    ln -s /usr/share/zoneinfo/Etc/UTC etc/localtime
+    ln -s /usr/share/zoneinfo/${bastille_tzdata} etc/localtime
 }
 # Handle special-case commands first.
@@ -159,50 +173,17 @@ IP="$3"
 ## verify release
 case "${RELEASE}" in
-10.1-RELEASE)
+11.2-RELEASE|11.2-release)
    RELEASE="10.1-RELEASE"
 	;;
 10.2-RELEASE)
    RELEASE="10.2-RELEASE"
 	;;
 10.3-RELEASE)
    RELEASE="10.3-RELEASE"
 	;;
 10.4-RELEASE)
    RELEASE="10.4-RELEASE"
    ;;
 11.0-RELEASE)
    RELEASE="11.0-RELEASE"
    ;;
 11.1-RELEASE)
    RELEASE="11.1-RELEASE"
    ;;
 11.2-RELEASE)
    RELEASE="11.2-RELEASE"
    ;;
-12.0-RELEASE)
+12.0-RELEASE|12.0-release)
    RELEASE="12.0-RELEASE"
    ;;
-12.0-BETA1)
+11-stable-LAST|11-STABLE-last|11-stable-last|11-STABLE-LAST)
-    RELEASE="12.0-BETA1"
+    RELEASE="11-stable-LAST"
    ;;
-12.0-BETA2)
+12-stable-LAST|12-STABLE-last|12-stable-last|12-STABLE-LAST)
-    RELEASE="12.0-BETA2"
+    RELEASE="12-stable-LAST"
    ;;
 12.0-BETA3)
    RELEASE="12.0-BETA3"
    ;;
 12.0-BETA4)
    RELEASE="12.0-BETA4"
    ;;
 12.0-RC1)
    RELEASE="12.0-RC1"
    ;;
 12.0-RC2)
    RELEASE="12.0-RC2"
    ;;
 12.0-RC3)
    RELEASE="12.0-RC3"
    ;;
 *)
    echo -e "${COLOR_RED}Unknown Release.${COLOR_RESET}"
@@ -216,6 +197,12 @@ if [ -d "${bastille_jailsdir}/${NAME}/root/.bastille" ]; then
    exit 1
 fi
 ## check for required release
 if [ ! -d "${bastille_releasesdir}/${RELEASE}" ]; then
    echo -e "${COLOR_RED}Release must be bootstrapped first; see `bastille bootstrap`.${COLOR_RESET}"
    exit 1
 fi
 ## check if a running jail matches name
 if running_jail ${NAME}; then
    echo -e "${COLOR_RED}A running jail matches name.${COLOR_RESET}"
--- a/usr/local/share/bastille/destroy.sh
+++ b/usr/local/share/bastille/destroy.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
@@ -53,10 +53,24 @@ destroy_jail() {
    if [ -d "${bastille_jail_base}" ]; then
        echo -e "${COLOR_GREEN}Deleting Jail: ${NAME}.${COLOR_RESET}"
        if [ "${bastille_zfs_enable}" = "YES" ]; then
            if [ ! -z "${bastille_zfs_zpool}" ]; then
                zfs destroy ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}
            fi
        fi
        ## removing all flags
        chflags -R noschg ${bastille_jail_base}
        ## remove jail base
        rm -rf ${bastille_jail_base}
-        echo -e "${COLOR_GREEN}Note: jail console logs not destroyed.${COLOR_RESET}"
+
-	echo -e "${COLOR_GREEN}${bastille_jail_log}${COLOR_RESET}"
+        ## archive jail log
        if [ -f "${bastille_jail_log}" ]; then
            mv ${bastille_jail_log} ${bastille_jail_log}-$(date +%F)
            echo -e "${COLOR_GREEN}Note: jail console logs archived.${COLOR_RESET}"
            echo -e "${COLOR_GREEN}${bastille_jail_log}-$(date +%F)${COLOR_RESET}"
        fi
        echo
    fi
 }
--- a/usr/local/share/bastille/freebsd_dist_fetch.sh
+++ b/usr/local/share/bastille/freebsd_dist_fetch.sh
@@ -1,52 +0,0 @@
 #!/bin/sh
 # https://pastebin.com/T6eThbKu
 . /usr/local/etc/bastille/bastille.conf
 DEVICE_SELF_SCAN_ALL=NO
 [ "$_SCRIPT_SUBR" ] || . /usr/share/bsdconfig/script.subr
 usage(){ echo "Usage: ${0##*/} [-r releaseName] [dists ...]" >&2; exit 1; }
 while getopts hr: flag; do
 	case "$flag" in
 	r) releaseName="$OPTARG" ;;
 	*) usage
 	esac
 done
 shift $(( $OPTIND - 1 ))
 nonInteractive=1
 MEDIA_TIMEOUT=3 # because ftp.f.o has no SRV records
 _ftpPath=ftp://ftp.freebsd.org
 mediaSetFTP
 mediaOpen
 set -e
 #debug=1
 REL_DIST=${bastille_cachedir}/$releaseName
 download() # $src to $dest
 {
 	size=$( f_device_get device_media "$1" $PROBE_SIZE )
 	f_device_get device_media "$1" | dpv -kb "BastilleBSD" \
 		-t "bootstrap" -p "Downloading $releaseName" \
 		-o "$3" "$size:$1"
 }
 sign() # $file
 {
 	dpv -kb "BastilleBSD" -t "bootstrap" \
 		-p "Signing $releaseName" -mx "sha256 >&2" \
 		"$size:${1##*/}" "$1" 2>&1 >&$TERMINAL_STDOUT_PASSTHRU
 }
 mkdir -p $REL_DIST
 MANIFEST=$REL_DIST/MANIFEST
 download MANIFEST to $MANIFEST
 dists="$*"
 for dist in ${dists:-$( awk '$0=$4' $MANIFEST )}; do
 	eval "$( awk -v dist=$dist '$4 == dist {
 		print "distfile=" $1
 		print "sig=" $2
 		exit found = 1
 	} END { exit ! found }' $MANIFEST )"
 	destfile=$REL_DIST/$distfile
 	download $distfile to $destfile
 	[ "$( sign $destfile )" = $sig ] ||
 		f_die "$distfile signature mismatch!"
 done
 f_dialog_info "All dists successfully downloaded/verified."
--- a/usr/local/share/bastille/htop.sh
+++ b/usr/local/share/bastille/htop.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
--- a/usr/local/share/bastille/list.sh
+++ b/usr/local/share/bastille/list.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
@@ -37,7 +37,7 @@ usage() {
 }
 if [ $# -eq 0 ]; then
-    jls -N
+    jls -N | grep -v 'poudriere'
 fi
 if [ $# -gt 0 ]; then
--- a/usr/local/share/bastille/pkg.sh
+++ b/usr/local/share/bastille/pkg.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
--- a/usr/local/share/bastille/restart.sh
+++ b/usr/local/share/bastille/restart.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
--- a/usr/local/share/bastille/service.sh
+++ b/usr/local/share/bastille/service.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
--- a/usr/local/share/bastille/start.sh
+++ b/usr/local/share/bastille/start.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
--- a/usr/local/share/bastille/stop.sh
+++ b/usr/local/share/bastille/stop.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
--- a/usr/local/share/bastille/sysrc.sh
+++ b/usr/local/share/bastille/sysrc.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
--- a/usr/local/share/bastille/template.sh
+++ b/usr/local/share/bastille/template.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
@@ -57,6 +57,7 @@ fi
 ## global variables
 TEMPLATE=$2
 bastille_template=${bastille_templatesdir}/${TEMPLATE}
 bastille_template_TARGET=${bastille_template}/TARGET
 bastille_template_INCLUDE=${bastille_template}/INCLUDE
 bastille_template_PRE=${bastille_template}/PRE
 bastille_template_CONFIG=${bastille_template}/CONFIG
@@ -72,6 +73,20 @@ for _jail in ${JAILS}; do
    echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
    ## TARGET
    if [ -s "${bastille_template_TARGET}" ]; then
        if [ $(grep -E "(^|\b)\!${_jail}($|\b)" ${bastille_template_TARGET}) ]; then
            echo -e "${COLOR_GREEN}TARGET: !${_jail}.${COLOR_RESET}"
 	    echo
            continue
        fi
 	if [ ! $(grep -E "(^|\b)(${_jail}|ALL)($|\b)" ${bastille_template_TARGET}) ]; then
            echo -e "${COLOR_GREEN}TARGET: ?${_jail}.${COLOR_RESET}"
 	    echo
            continue
        fi
    fi
    ## INCLUDE
    if [ -s "${bastille_template_INCLUDE}" ]; then
        echo -e "${COLOR_GREEN}Detected INCLUDE.${COLOR_RESET}"
@@ -113,8 +128,8 @@ for _jail in ${JAILS}; do
    if [ -s "${bastille_template_PKG}" ]; then
        echo -e "${COLOR_GREEN}Installing packages.${COLOR_RESET}"
        jexec -l "${_jail}" env ASSUME_ALWAYS_YES=YES /usr/sbin/pkg bootstrap
-        jexec -l "${_jail}" /usr/sbin/pkg audit -F
+        jexec -l "${_jail}" env ASSUME_ALWAYS_YES=YES /usr/sbin/pkg audit -F
-        jexec -l "${_jail}" /usr/sbin/pkg install $(cat ${bastille_template_PKG})
+        jexec -l "${_jail}" env ASSUME_ALWAYS_YES=YES /usr/sbin/pkg install $(cat ${bastille_template_PKG})
    fi
    ## sysrc
--- a/usr/local/share/bastille/top.sh
+++ b/usr/local/share/bastille/top.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
--- a/usr/local/share/bastille/update.sh
+++ b/usr/local/share/bastille/update.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
@@ -49,6 +49,11 @@ fi
 RELEASE=$1
 if [ ! -z "$(freebsd-version | grep -i HBSD)" ]; then
    echo -e "${COLOR_RED}Not yet supported on HardenedBSD.${COLOR_RESET}"
    exit 1
 fi
 if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then
    freebsd-update -b "${bastille_releasesdir}/${RELEASE}" fetch install --currently-running ${RELEASE}
 else
--- a/usr/local/share/bastille/upgrade.sh
+++ b/usr/local/share/bastille/upgrade.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
@@ -50,6 +50,12 @@ fi
 RELEASE=$1
 NEWRELEASE=$2
 if [ ! -z "$(freebsd-version | grep -i HBSD)" ]; then
    echo -e "${COLOR_RED}Not yet supported on HardenedBSD.${COLOR_RESET}"
    exit 1
 fi
 if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then
    freebsd-update -b "${bastille_releasesdir}/${RELEASE}" -r ${NEWRELEASE} upgrade
 else
--- a/usr/local/share/bastille/verify.sh
+++ b/usr/local/share/bastille/verify.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
@@ -49,6 +49,11 @@ fi
 RELEASE=$1
 if [ ! -z "$(freebsd-version | grep -i HBSD)" ]; then
    echo -e "${COLOR_RED}Not yet supported on HardenedBSD.${COLOR_RESET}"
    exit 1
 fi
 if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then
    freebsd-update -b "${bastille_releasesdir}/${RELEASE}" IDS
 else
Author	SHA1	Message	Date
Christer Edwards	6d69c82a04	Merge pull request #36 from cedwards/master update bastille.conf for updated options	2019-06-22 09:56:47 -06:00
Christer Edwards	e74bbd089c	update bastille.conf for updated options	2019-06-22 09:55:28 -06:00
Christer Edwards	90707cd5c9	Merge pull request #35 from cedwards/master remove unused freebsd_dist_fetch.sh	2019-06-22 09:40:11 -06:00
Christer Edwards	2b2012f1be	remove unused freebsd_dist_fetch.sh	2019-06-22 09:39:16 -06:00
Christer Edwards	652c8f095e	Merge pull request #34 from cedwards/master Bastille 0.4.20190622	2019-06-22 09:36:37 -06:00
Christer Edwards	344837689d	makes create.sh less case-sensitive for release name	2019-06-22 09:32:46 -06:00
Christer Edwards	52c8df69e3	Bastille 0.4.20190622 - ZFS plus bugfixes	2019-06-22 09:28:42 -06:00
Christer Edwards	e5ae4d0743	Merge pull request #33 from cedwards/master May 2019 update: HardenedBSD, tzdata, NS	2019-05-22 21:59:01 -06:00
Christer Edwards	c9ebc886fd	May 2019 update: HardenedBSD, tzdata, NS - closes #32: support HardenedBSD - adds support for defined nameservers in new jails (up to three) - adds support for defined nameserver options (eg; options edns0 rotate) - adds support for defined tzdata in new jails (eg; America/Denver, etc/UTC) - adds support for dynamic hw.machine/hw.machine_arch downloads - new jails now output default rc.conf settings (sysrc) at creation - no longer use freebsd_dist_fetch.sh; replaced with simpler fetch	2019-05-22 21:50:29 -06:00
Christer Edwards	cccf4ff31f	Merge pull request #31 from cedwards/master updated README.md	2019-03-11 17:54:41 -06:00
Christer Edwards	6f1da4b265	updated README.md to include ports tree support	2019-03-11 17:51:32 -06:00
Christer Edwards	57bd13c9ce	Merge pull request #29 from cedwards/master update copyright; fixes #28	2019-02-04 21:32:21 -07:00
Christer Edwards	957465dfa4	update bootstrap to support configurable archives	2019-02-04 21:31:34 -07:00
Christer Edwards	e2b4f84cfe	update copyright; fixes #28	2019-02-04 21:08:00 -07:00
Christer Edwards	29e98b554f	Merge pull request #27 from cedwards/master bootstrap fix	2019-01-02 20:10:46 -07:00
Christer Edwards	655f8d0fe9	bootstrap fix	2019-01-02 20:08:49 -07:00
Christer Edwards	d35b2cc119	Merge pull request #26 from cedwards/master 0.3.20181202 template targets	2018-12-02 08:27:38 -07:00
Christer Edwards	6a8c2f8e53	0.3.20181202 template targets	2018-12-02 08:23:27 -07:00
Christer Edwards	2e6b8f355e	Merge pull request #25 from cedwards/master 0.3.2018113001 updated readme; add pkg	2018-11-30 11:39:51 -07:00
Christer Edwards	78bc3cb9c4	0.3.2018113001 updated readme; add pkg	2018-11-30 11:39:05 -07:00
Christer Edwards	46bfa62cb9	Merge pull request #24 from cedwards/master 0.3.20181130 damned typos	2018-11-30 09:13:49 -07:00
Christer Edwards	a495350d26	0.3.20181130 damned typos	2018-11-30 09:12:43 -07:00
Christer Edwards	7d40be61dd	Merge pull request #23 from cedwards/master 0.3.20181128 go go gadget git clone templates	2018-11-28 21:05:30 -07:00
Christer Edwards	eb4aab01f9	0.3.20181128 go go gadget git clone templates	2018-11-28 21:02:42 -07:00
Christer Edwards	f84317f7e4	Merge pull request #22 from cedwards/master 0.3.2018112401 bastille.rtfd.org	2018-11-24 20:09:00 -07:00
Christer Edwards	9431af5eb0	0.3.2018112401 bastille.rtfd.org	2018-11-24 20:07:20 -07:00
Christer Edwards	06e3fdacd4	Merge pull request #21 from cedwards/master 0.3.2018112400 README updated for release	2018-11-24 10:20:20 -07:00
Christer Edwards	093bcaa4f4	0.3.2018112400 README updated for release	2018-11-24 10:19:01 -07:00