Merge pull request #36 from cedwards/master

update bastille.conf for updated options

LICENSE

@@ -1,6 +1,6 @@
 BSD 3-Clause License
 
-Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without

README.md

@@ -1,38 +1,22 @@
 Bastille
 ========
-Bastille is a jail automation framework that allows you to quickly and
-easily create and manage FreeBSD jail.
+Bastille is a jail automation framework that allows you to quickly create and
+manage FreeBSD jails.
 
 
 Installation
-------------
-Bastille is not (yet) in the official ports tree, but I have built and verified
-binary packages.
-
-To install using one of the BETA binary packages, copy the URL for the latest
-release here (TXZ file): https://github.com/bastillebsd/bastille/releases
-
-Then, install via `pkg`. 
-Example:
+============
+Bastille is available in the official ports tree.
 
+**pkg**
 ```shell
-pkg add https://github.com/BastilleBSD/bastille/releases/download/0.3.20181130/bastille-0.3.20181130_2.txz
+pkg install bastille
 ```
 
-BETA binary packages are signed. These can be verified with this pubkey:
-
+**ports**
+```shell
+make -C /usr/ports/sysutils/bastille install clean
 ```
------BEGIN PUBLIC KEY-----
-MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq28OLDhJ12JmsKKcJpnn
-pCW3fFYBNI1BtdvTvFx57ZXvQ2qecBvnR9+XWi83hKS9ALTKZI6CLC2uTv1fIsZl
-u6rDRRNZwZFfITACSfwI+7UObMXz3oBZjk94J3rIegk49EyjDswKdVWv5k1EiVXF
-SAwXSl2kA2hGfQJkj5NS4nrfoRBc0z6fm+BGdNuHKSTmeZh1dbLEHt9EArD20DJ7
-HIr8vUSPLwONeqJCBFA/MeDO+GpwtwA/ldc2ZZy1RCPctdC2NeiGW7oy1yVDu6wp
-mHCq8qDfmCx5Aex84rWUf9iH8TM92AWmegTaz2p+BgESctpjNRCUuSEwOCBIO6g5
-3wIDAQAB
------END PUBLIC KEY-----
-```
-
 
 Basic Usage
 -----------
@@ -66,15 +50,13 @@ Use "bastille command -h|--help" for more information about a command.
 ```
 
 
-## 0.3-beta
+## 0.4-beta
 This document outlines the basic usage of the Bastille jail management
-framework. This release, obviously, is beta quality. I make no guarantees of
-quality, and if it screws up your system... Sorry, bro. 
-
-With all that said, here's how to use this tool in its current beta state...
+framework. This release is still considered beta.
 
 
-## Network Requirements
+Network Requirements
+====================
 In order to segregate jails from the network and from the world, Bastille
 attaches jails to a loopback interface only. The host system then acts as
 the firewall, permitting and denying traffic as needed.
@@ -86,14 +68,16 @@ ishmael ~ # sysrc cloned_interfaces+=lo1
 ishmael ~ # service netif cloneup
 ```
 
-Second, enable NAT through the firewall:
+Second, enable the firewall:
 
 ```shell
 ishmael ~ # sysrc pf_enable="YES"
 ```
 
 Create the firewall config, or merge as necessary.
-### /etc/pf.conf
+
+/etc/pf.conf
+------------
 ```
 ext_if="vtnet0"
 
@@ -101,10 +85,10 @@ set block-policy drop
 scrub in on $ext_if all fragment reassemble
 
 set skip on lo
-nat on $ext_if from !($ext_if) -> ($ext_if:0)
+nat on $ext_if from lo1:network to any -> ($ext_if)
 
 ## rdr example
-## rdr pass inet proto tcp from any to any port {80, 443} -> 10.88.9.45
+## rdr pass inet proto tcp from any to any port {80, 443} -> 10.17.89.45
 
 block in log all
 pass out quick modulate state
@@ -122,7 +106,7 @@ Note: if you have an existing firewall, the key lines for in/out traffic to jail
 nat on $ext_if from lo1:network to any -> ($ext_if)
 
 ## rdr example
-## rdr pass inet proto tcp from any to any port {80, 443} -> 10.88.9.45
+## rdr pass inet proto tcp from any to any port {80, 443} -> 10.17.89.45
 ```
 
 The `nat` routes traffic from the loopback interface to the external interface
@@ -130,7 +114,7 @@ for outbound access.
 
 The `rdr pass ...` will redirect traffic from the host firewall on port X to
 the ip of Jail Y. The example shown redirects web traffic (80 & 443) to the
-jails at `10.88.9.45`.
+jails at `10.17.89.45`.
 
 We'll get to that later, but when you're ready to allow traffic inbound to your
 jails, that's where you'd do it.
@@ -147,11 +131,46 @@ session and continue.
 This step only needs to be done once in order to prepare the host.
 
 
+ZFS support
+===========
+
+![BastilleBSD Twitter Poll](/docs/images/bastillebsd-twitter-poll.png)
+
+Bastille 0.4 added initial support for ZFS. `bastille bootstrap` and `bastille
+create` will generate ZFS volumes based on settings found in the
+`bastille.conf`. This section outlines how to enable and configure Bastille for
+ZFS.
+
+Two values are required for Bastille to use ZFS. The default values in the
+`bastille.conf` are empty. Populate these two to enable ZFS.
+
+```shell
+## ZFS options
+bastille_zfs_enable=""                                  ## default: ""
+bastille_zfs_zpool=""                                   ## default: ""
+bastille_zfs_prefix="bastille"                          ## default: "${bastille_zfs_zpool}/bastille"
+bastille_zfs_mountpoint=${bastille_prefix}              ## default: "${bastille_prefix}"
+bastille_zfs_options="-o compress=lz4 -o atime=off"     ## default: "-o compress=lz4 -o atime=off"
+```
+
+**Example**
+
+```shell
+ishmael ~ # sysrc -f /usr/local/etc/bastille/bastille.conf bastille_zfs_enable=YES
+ishmael ~ # sysrc -f /usr/local/etc/bastille/bastille.conf bastille_zfs_zpool=ZPOOL_NAME
+```
+
+Replace `ZPOOL_NAME` with the zpool you want Bastille to use. Tip: `zpool list`
+and `zpool status` will help.
+
+
 bastille bootstrap
 ------------------
-The first step is to "bootstrap" a release. Current supported release is
-11.2-RELEASE, but you can bootstrap anything in the ftp.FreeBSD.org RELEASES
-directory. 
+Before you can begin creating jails, Bastille needs to "bootstrap" a release.
+Current supported releases are 11.2-RELEASE and 12.0-RELEASE, but you can
+bootstrap anything in the ftp.FreeBSD.org RELEASES directory.
+
+**Important: If you need ZFS support see the above section BEFORE bootstrapping.**
 
 Note: your mileage may vary with unsupported releases and releases newer than
 the host system likely will NOT work at all.
@@ -159,48 +178,74 @@ the host system likely will NOT work at all.
 To `bootstrap` a release, run the bootstrap sub-command with the
 release version as the argument.
 
+
+** FreeBSD 12.0-RELEASE **
+```shell
+ishmael ~ # bastille bootstrap 12.0-RELEASE
+```
+
+** FreeBSD 11.2-RELEASE **
 ```shell
 ishmael ~ # bastille bootstrap 11.2-RELEASE
-ishmael ~ # bastille bootstrap 12.0-RELEASE
+```
+
+** HardenedBSD 12-STABLE-LAST **
+```shell
+ishmael ~ # bastille bootstrap 12-STABLE-LAST
+```
+
+** HardenedBSD 11-STABLE-LAST **
+```shell
+ishmael ~ # bastille bootstrap 11-STABLE-LAST
 ```
 
 This command will ensure the required directory structures are in place and
 download the requested release. For each requested release, `bootstrap` will
-download the base.txz and lib32.txz. These are both verified (sha256 via
-MANIFEST file) before they are extracted for use.
+download the base.txz. If you need more than base (eg; ports, lib32, src) you
+can configure the `bastille_bootstrap_archives` in the configuration file. By
+default this value is set to "base". Additional components are added, space
+separated, without extension.
 
-Downloaded artifacts are stored in the `cache` directory. "bootstrapped"
-releases are stored in `releases/version`.
+Bastille will attempt to fetch the required archives if they are not found in
+the `cache/$RELEASE` directory. 
+
+Downloaded artifacts are stored in the `cache/$RELEASE` directory. "bootstrapped"
+releases are stored in `releases/$RELEASE`.
+
+Advanced: If you want to create your own custom base.txz, or use an unsupported
+variant of FreeBSD, drop your own base.txz in `cache/$RELEASE/base.txz` and
+`bastille bootstrap` will attempt to extract and use it.
 
 The bootstrap subcommand is generally only used once to prepare the system. The
-only other use case for the bootstrap command is when a new FreeBSD version is
-released and you want to start building jails on that version.
+other use cases for the bootstrap command are when a new FreeBSD version is
+released and you want to start building jails on that version, or bootstrapping
+templates from GitHub or GitLab.
 
-To update a release as patches are made available, see the `bastille update`
-command.
+See `bastille update` to ensure your bootstrapped releases include the latest
+patches.
 
 
 bastille create
 ---------------
-Bastille create uses any available bootstrapped release to create a lightweight
-jailized system. To create a jail simply provide a name, release and
+`bastille create` uses a bootstrapped release to create a lightweight
+jailed system. To create a jail simply provide a name, release and
 a private (rfc1918) IP address.
 
 - name
 - release (bootstrapped)
 - ip
 
+
 ```shell
-ishmael ~ # bastille create folsom 11.2-RELEASE 10.8.62.1
+ishmael ~ # bastille create folsom 12.0-RELEASE 10.17.89.10
 
-RELEASE: 11.2-RELEASE.
+RELEASE: 12.0-RELEASE.
 NAME: folsom.
-IP: 10.8.62.1.
-
+IP: 10.17.89.10.
 ```
 
-This command will create a 11.2-RELEASE jail assigning the 10.8.62.1 ip address
-to the new system.
+This command will create a 12.0-RELEASE jail assigning the 10.17.89.10 ip
+address to the new system.
 
 I recommend using private (rfc1918) ip address ranges for your jails.
 These ranges include:
@@ -209,8 +254,11 @@ These ranges include:
 - 172.16.0.0/12
 - 192.168.0.0/16
 
+If your Bastille host also uses private (rfc1918) addresses, use a different
+range for your jails. ie; Host uses 192.168.0.0/16, jails use 10.0.0.0/8.
+
 Bastille does its best to validate the submitted ip is valid. This has not been
-thouroughly tested--I generally use the 10/8 range.
+thouroughly tested. I generally use the 10.0.0.0/8 range for jails.
 
 
 bastille start
@@ -219,9 +267,6 @@ To start a jail you can use the `bastille start` command.
 
 ```shell
 ishmael ~ # bastille start folsom
-Targeting specified jails.
-folsom
-
 [folsom]:
 folsom: created
 
@@ -234,9 +279,6 @@ To stop a jail you can use the `bastille stop` command.
 
 ```shell
 ishmael ~ # bastille stop folsom
-Targeting specified jails.
-folsom
-
 [folsom]:
 folsom: removed
 
@@ -249,15 +291,9 @@ To restart a jail you can use the `bastille restart` command.
 
 ```shell
 ishmael ~ # bastille restart folsom
-Targeting specified jails.
-folsom
-
 [folsom]:
 folsom: removed
 
-Targeting specified jails.
-folsom
-
 [folsom]:
 folsom: created
 
@@ -270,9 +306,6 @@ To execute commands within the jail you can use `bastille cmd`.
 
 ```shell
 ishmael ~ # bastille cmd folsom 'ps -auxw'
-Targeting specified jails.
-folsom
-
 [folsom]:
 USER   PID %CPU %MEM   VSZ  RSS TT  STAT STARTED    TIME COMMAND
 root 71464  0.0  0.0 14536 2000  -  IsJ   4:52PM 0:00.00 /usr/sbin/syslogd -ss
@@ -288,9 +321,6 @@ To manage binary packages within the jail use `bastille pkg`.
 
 ```shell
 ishmael ~ # bastille pkg folsom 'install vim-console git-lite zsh'
-Targeting specified jails.
-folsom
-
 [folsom]:
 The package management tool is not yet installed on your system.
 Do you want to fetch and install it now? [y/N]: y
@@ -361,23 +391,20 @@ Creating user 'git_daemon' with uid '964'.
 [folsom] [9/10] Extracting git-lite-2.19.1: 100%
 [folsom] [10/10] Installing zsh-5.6.2...
 [folsom] [10/10] Extracting zsh-5.6.2: 100%
-
 ```
 
 The PKG sub-command can, of course, do more than just `install`. The
 expectation is that you can fully leverage the pkg manager. This means,
-`install`, `update`, `upgrade`, `audit`, `clean`, `autoremove`, etc., etc.
+`install`, `update`, `upgrade`, `audit`, `clean`, `autoremove`, etc.
 
 ```shell
 ishmael ~ # bastille pkg ALL upgrade
-Targeting all jails.
-
 [bastion]:
-Updating iniquity.io repository catalogue...
+Updating pkg.bastillebsd.org repository catalogue...
 [bastion] Fetching meta.txz: 100%    560 B   0.6kB/s    00:01
 [bastion] Fetching packagesite.txz: 100%  118 KiB 121.3kB/s    00:01
 Processing entries: 100%
-iniquity.io repository update completed. 493 packages processed.
+pkg.bastillebsd.org repository update completed. 493 packages processed.
 All repositories are up to date.
 Checking for upgrades (1 candidates): 100%
 Processing candidates (1 candidates): 100%
@@ -385,11 +412,11 @@ Checking integrity... done (0 conflicting)
 Your packages are up to date.
 
 [unbound0]:
-Updating iniquity.io repository catalogue...
+Updating pkg.bastillebsd.org repository catalogue...
 [unbound0] Fetching meta.txz: 100%    560 B   0.6kB/s    00:01
 [unbound0] Fetching packagesite.txz: 100%  118 KiB 121.3kB/s    00:01
 Processing entries: 100%
-iniquity.io repository update completed. 493 packages processed.
+pkg.bastillebsd.org repository update completed. 493 packages processed.
 All repositories are up to date.
 Checking for upgrades (0 candidates): 100%
 Processing candidates (0 candidates): 100%
@@ -397,11 +424,11 @@ Checking integrity... done (0 conflicting)
 Your packages are up to date.
 
 [unbound1]:
-Updating iniquity.io repository catalogue...
+Updating pkg.bastillebsd.org repository catalogue...
 [unbound1] Fetching meta.txz: 100%    560 B   0.6kB/s    00:01
 [unbound1] Fetching packagesite.txz: 100%  118 KiB 121.3kB/s    00:01
 Processing entries: 100%
-iniquity.io repository update completed. 493 packages processed.
+pkg.bastillebsd.org repository update completed. 493 packages processed.
 All repositories are up to date.
 Checking for upgrades (0 candidates): 100%
 Processing candidates (0 candidates): 100%
@@ -409,11 +436,11 @@ Checking integrity... done (0 conflicting)
 Your packages are up to date.
 
 [squid]:
-Updating iniquity.io repository catalogue...
+Updating pkg.bastillebsd.org repository catalogue...
 [squid] Fetching meta.txz: 100%    560 B   0.6kB/s    00:01
 [squid] Fetching packagesite.txz: 100%  118 KiB 121.3kB/s    00:01
 Processing entries: 100%
-iniquity.io repository update completed. 493 packages processed.
+pkg.bastillebsd.org repository update completed. 493 packages processed.
 All repositories are up to date.
 Checking for upgrades (0 candidates): 100%
 Processing candidates (0 candidates): 100%
@@ -421,11 +448,11 @@ Checking integrity... done (0 conflicting)
 Your packages are up to date.
 
 [nginx]:
-Updating iniquity.io repository catalogue...
+Updating pkg.bastillebsd.org repository catalogue...
 [nginx] Fetching meta.txz: 100%    560 B   0.6kB/s    00:01
 [nginx] Fetching packagesite.txz: 100%  118 KiB 121.3kB/s    00:01
 Processing entries: 100%
-iniquity.io repository update completed. 493 packages processed.
+pkg.bastillebsd.org repository update completed. 493 packages processed.
 All repositories are up to date.
 Checking for upgrades (1 candidates): 100%
 Processing candidates (1 candidates): 100%
@@ -458,9 +485,6 @@ Note: jails must be stopped before destroyed.
 
 ```shell
 ishmael ~ # bastille stop folsom
-Targeting specified jails.
-folsom
-
 [folsom]:
 folsom: removed
 
@@ -477,7 +501,7 @@ Bastille supports a templating system allowing you to apply files, pkgs and
 execute commands inside the jail automatically.
 
 Currently supported template hooks are: `PRE`, `CONFIG`, `PKG`, `SYSRC`, `CMD`.
-Planned template hooks include: `FSTAB`, `PF`
+Planned template hooks include: `FSTAB`, `PF`, `LOG`
 
 Templates are created in `${bastille_prefix}/templates` and can leverage any of
 the template hooks. Simply create a new directory named after the template. eg;
@@ -498,12 +522,18 @@ echo "etc root usr" > /usr/local/bastille/templates/base/CONFIG
 Template hooks are executed in specific order and require specific syntax to
 work as expected. This table outlines those requirements:
 
-| HOOK    | format           | example                              |
-|---------|------------------|--------------------------------------|
-| PRE/CMD | /bin/sh command  | /usr/bin/chsh -s /usr/local/bin/zsh  |
-| CONFIG  | path             | etc root usr                         |
-| PKG     | port/pkg name(s) | vim-console zsh git-lite tree htop   |
-| SYSRC   | sysrc command(s) | nginx_enable=YES                     |
+| SUPPORTED | format           | example                                                        |
+|-----------|------------------|----------------------------------------------------------------|
+| PRE/CMD   | /bin/sh command  | /usr/bin/chsh -s /usr/local/bin/zsh                            |
+| CONFIG    | path             | etc root usr                                                   |
+| PKG       | port/pkg name(s) | vim-console zsh git-lite tree htop                             |
+| SYSRC     | sysrc command(s) | nginx_enable=YES                                               |
+
+| PLANNED | format           | example                                                        |
+|---------|------------------|----------------------------------------------------------------|
+| PF      | pf rdr entry     | rdr pass inet proto tcp from any to any port 80 -> 10.17.89.80 |
+| LOG     | path             | /var/log/nginx/access.log                                      |
+| FSTAB   | fstab syntax     | /path/on/host /path/in/jail nullfs ro 0 0                      |
 
 Note: SYSRC requires NO quotes or that quotes (`"`) be escaped. ie; `\"`)
 
@@ -531,6 +561,7 @@ The above example "etc usr" will include anything under "etc" and "usr" inside
 the template. You do not need to list individual files. Just include the
 top-level directory name.
 
+
 Applying Templates
 ------------------
 
@@ -573,10 +604,7 @@ In jail terms, this allows us to toggle on/off services and options at
 startup.
 
 ```shell
-ishmael ~ # bastille sysrc nginx nginx_enable="YES"
-Targeting specified jails.
-nginx
-
+ishmael ~ # bastille sysrc nginx nginx_enable=YES
 [nginx]:
 nginx_enable: NO -> YES
 ```
@@ -591,9 +619,6 @@ password-less root login.
 
 ```shell
 ishmael ~ # bastille console folsom
-Targeting specified jails.
-folsom
-
 [folsom]:
 FreeBSD 11.2-RELEASE-p4 (GENERIC) #0: Thu Sep 27 08:16:24 UTC 2018
 
@@ -623,6 +648,7 @@ At this point you are logged in to the jail and have full shell access.
 The system is yours to use and/or abuse as you like. Any changes made inside
 the jail are limited to the jail. 
 
+
 bastille cp
 -----------
 Note: this sub-command may need a little work. 
@@ -631,8 +657,6 @@ This sub-command allows efficiently copying files from host to jail(s).
 
 ```shell
 ishmael ~ # bastille cp ALL /tmp/resolv.conf-cf etc/resolv.conf
-Targeting all jails.
-
 [bastion]:
 
 [unbound0]:
@@ -657,12 +681,12 @@ This sub-command will show you the running jails on your system.
 ```shell
 ishmael ~ # bastille list
  JID             IP Address      Hostname                      Path
- bastion         10.88.9.65      bastion                       /usr/local/bastille/jails/bastion/root
- unbound0        10.88.9.60      unbound0                      /usr/local/bastille/jails/unbound0/root
- unbound1        10.88.9.61      unbound1                      /usr/local/bastille/jails/unbound1/root
- squid           10.88.9.30      squid                         /usr/local/bastille/jails/squid/root
- nginx           10.88.9.45      nginx                         /usr/local/bastille/jails/nginx/root
- folsom          10.8.62.1       folsom                        /usr/local/bastille/jails/folsom/root
+ bastion         10.17.89.65      bastion                       /usr/local/bastille/jails/bastion/root
+ unbound0        10.17.89.60      unbound0                      /usr/local/bastille/jails/unbound0/root
+ unbound1        10.17.89.61      unbound1                      /usr/local/bastille/jails/unbound1/root
+ squid           10.17.89.30      squid                         /usr/local/bastille/jails/squid/root
+ nginx           10.17.89.45      nginx                         /usr/local/bastille/jails/nginx/root
+ folsom          10.17.89.10      folsom                        /usr/local/bastille/jails/folsom/root
 ```
 
 
@@ -739,27 +763,21 @@ Example (create, start, console)
 This example creates, starts and consoles into the jail.
 
 ```shell
-ishmael ~ # bastille create alcatraz 11.2-RELEASE 10.9.8.7
+ishmael ~ # bastille create alcatraz 11.2-RELEASE 10.17.89.7
 
 RELEASE: 11.2-RELEASE.
 NAME: alcatraz.
-IP: 10.9.8.7.
+IP: 10.17.89.7.
 ```
 
 ```shell
 ishmael ~ # bastille start alcatraz
-Targeting specified jails.
-alcatraz
-
 [alcatraz]:
 alcatraz: created
 ```
 
 ```shell
 ishmael ~ # bastille console alcatraz
-Targeting specified jails.
-alcatraz
-
 [alcatraz]:
 FreeBSD 11.2-RELEASE-p4 (GENERIC) #0: Thu Sep 27 08:16:24 UTC 2018
 
@@ -822,29 +840,28 @@ Possible Jail names
 -------------------
 
 prisons:
+- alcatraz
 - arkham
 - ashecliffe
+- astralqueen
+- attica
 - azkaban
 - coldmountain
+- corcoran
 - dolguldur
+- folsom
 - foxriver
+- leavenworth
 - litchfield
 - oswald
+- pelicanbay
+- rikers
+- sanquentin
 - shawshank
+- singsing
 - stockton
 - stormcage
 - ziggurat
-- astralqueen
-
-- alcatraz
-- rikers
-- leavenworth
-- folsom
-- attica
-- singsing
-- sanquentin
-- corcoran
-- pelicanbay
 
 
 Networking Tips
@@ -854,7 +871,7 @@ Tip #1:
 -------
 Ports and destinations can be defined as lists. eg;
 ```
-rdr pass inet proto tcp from any to any port {80, 443} -> {10.88.9.45, 10.88.9.46, 10.88.9.47, 10.88.9.48}
+rdr pass inet proto tcp from any to any port {80, 443} -> {10.17.89.45, 10.17.89.46, 10.17.89.47, 10.17.89.48}
 ```
 
 This rule would redirect any traffic to the host on ports 80 or 443 and
@@ -865,9 +882,9 @@ Tip #2:
 -------
 Ports can redirect to other ports. eg;
 ```
-rdr pass inet proto tcp from any to any port 8080 -> 10.7.6.5 port 80
-rdr pass inet proto tcp from any to any port 8081 -> 10.7.6.5 port 8080
-rdr pass inet proto tcp from any to any port 8181 -> 10.7.6.5 port 443
+rdr pass inet proto tcp from any to any port 8080 -> 10.17.89.5 port 80
+rdr pass inet proto tcp from any to any port 8081 -> 10.17.89.5 port 8080
+rdr pass inet proto tcp from any to any port 8181 -> 10.17.89.5 port 443
 ```
 
 Tip #3:
@@ -882,9 +899,9 @@ can.
 
 Community Support
 =================
-We would love to hear your feedback on Bastille! Please join us on the
-[BastilleBSD Chat Server](https://chat.bastillebsd.org) and let us know what
-you think. Registration is currently open pending email verification. 
+We would love to hear your feedback on Bastille! Please join us in the
+[#bastillebsd](ircs://chat.freenode.net:6697/bastillebsd) and let us know what
+you think.
 
 Be mindful of the [Bastille Code of
 Conduct](https://github.com/BastilleBSD/bastille/blob/master/CODE-OF-CONDUCT.md)

docs/conf.py

@@ -8,7 +8,7 @@ else:
 # -- Project information -----------------------------------------------------
 
 project = 'Bastille'
-copyright = '2018, Christer Edwards'
+copyright = '2018-2019, Christer Edwards'
 author = 'Christer Edwards'
 
 # The short X.Y version

usr/local/bin/bastille

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
@@ -32,7 +32,7 @@
 . /usr/local/etc/bastille/bastille.conf
 
 ## version
-BASTILLE_VERSION="0.3.20190102"
+BASTILLE_VERSION="0.3.20190204"
 
 usage() {
     cat << EOF
@@ -88,16 +88,16 @@ esac
 # Filter out all non-commands
 case "${CMD}" in
 cmd|cp|create|destroy|list|pkg|restart|start|stop|sysrc|template|verify)
-	;;
+    ;;
 update|upgrade)
-	;;
+    ;;
 console|bootstrap|htop|top)
     ;;
 bootstrap|update|upgrade)
-	;;
+    ;;
 *)
-	usage
-	;;
+usage
+    ;;
 esac
 
 SCRIPTPATH="${bastille_sharedir}/${CMD}.sh"

usr/local/etc/bastille/bastille.conf

@@ -1,11 +1,30 @@
+#####################
 ## [ BastilleBSD ] ##
 #####################
 
 ## default paths
-bastille_prefix=/usr/local/bastille
-bastille_cachedir=${bastille_prefix}/cache
-bastille_jailsdir=${bastille_prefix}/jails
-bastille_logsdir=${bastille_prefix}/logs
-bastille_releasesdir=${bastille_prefix}/releases
-bastille_templatesdir=${bastille_prefix}/templates
-bastille_sharedir=/usr/local/share/bastille
+bastille_prefix=/usr/local/bastille                     ## default: "/usr/local/bastille"
+bastille_cachedir=${bastille_prefix}/cache              ## default: ${bastille_prefix}/cache
+bastille_jailsdir=${bastille_prefix}/jails              ## default: ${bastille_prefix}/jails
+bastille_logsdir=${bastille_prefix}/logs                ## default: ${bastille_prefix}/logs
+bastille_releasesdir=${bastille_prefix}/releases        ## default: ${bastille_prefix}/releases
+bastille_templatesdir=${bastille_prefix}/templates      ## default: ${bastille_prefix}/templates
+
+## bastille scripts directory (assumed by bastille pkg)
+bastille_sharedir=/usr/local/share/bastille             ## default: "/usr/local/share/bastille"
+
+## bootstrap archives (base, lib32, ports, src, test)
+bastille_bootstrap_archives="base"                      ## default: "base"
+
+## default timezone
+bastille_tzdata="etc/UTC"                               ## default: "etc/UTC"
+
+## default jail resolv.conf
+bastille_resolv_conf="/etc/resolv.conf"                 ## default: "/etc/resolv.conf"
+
+## ZFS options
+bastille_zfs_enable=""                               ## default: ""
+bastille_zfs_zpool=""                              ## default: ""
+bastille_zfs_prefix="bastille"                          ## default: "${bastille_zfs_zpool}/bastille"
+bastille_zfs_mountpoint=${bastille_prefix}              ## default: "${bastille_prefix}"
+bastille_zfs_options="-o compress=lz4 -o atime=off"     ## default: "-o compress=lz4 -o atime=off"

usr/local/share/bastille/bootstrap.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
@@ -43,44 +43,108 @@ help|-h|--help)
     ;;
 esac
 
-bootstrap_release() {
+bootstrap_directories() {
     ## ensure required directories are in place
-    if [ ! -d ${bastille_jailsdir} ]; then
-        mkdir -p ${bastille_jailsdir}
-    fi
-    if [ ! -d ${bastille_logsdir} ]; then
-        mkdir -p ${bastille_logsdir}
-    fi
-    if [ ! -d ${bastille_templatesdir} ]; then
-        mkdir -p ${bastille_templatesdir}
-    fi
-    if [ ! -d "${bastille_cachedir}/${RELEASE}" ]; then
-        mkdir -p "${bastille_cachedir}/${RELEASE}"
+
+    ## ${bastille_prefix}
+    if [ ! -d "${bastille_prefix}" ]; then
+        if [ "${bastille_zfs_enable}" = "YES" ];then
+            if [ ! -z "${bastille_zfs_zpool}" ]; then
+                zfs create ${bastille_zfs_options} -o mountpoint=${bastille_prefix} ${bastille_zfs_zpool}/${bastille_zfs_prefix}
+            fi
+        else
+            mkdir -p "${bastille_prefix}"
+        fi
     fi
 
-    ### create $bastille_base/release/$release directory
-    ### fetch $release/base.txz -o $bastille_base/cache/$release/base.txz
-    ### fetch $release/lib32.txz -o $bastille_base/cache/$release/lib32.txz
-    ### extract $release/base.txz to $bastille_base/release/$release
-    ### extract $release/lib32.txz to $bastille_base/release/$release
-    if [ ! -d "${bastille_releasesdir}/${RELEASE}" ]; then
-        mkdir -p "${bastille_releasesdir}/${RELEASE}"
-        sh ${bastille_sharedir}/freebsd_dist_fetch.sh -r ${RELEASE} base lib32
+    ## ${bastille_cachedir}
+    if [ ! -d "${bastille_cachedir}" ]; then
+        if [ "${bastille_zfs_enable}" = "YES" ]; then
+            if [ ! -z "${bastille_zfs_zpool}" ]; then
+                zfs create ${bastille_zfs_options} -o mountpoint=${bastille_cachedir} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache
+                mkdir -p ${bastille_cachedir}/${RELEASE}
+            fi
+        else
+            mkdir -p "${bastille_cachedir}"
+        fi
+    fi
 
-        echo
-        echo -e "${COLOR_GREEN}Extracting FreeBSD ${RELEASE} base.txz.${COLOR_RESET}"
-        /usr/bin/tar -C "${bastille_releasesdir}/${RELEASE}" -xf "${bastille_cachedir}/${RELEASE}/base.txz"
+    ## ${bastille_jailsdir}
+    if [ ! -d "${bastille_jailsdir}" ]; then
+        if [ "${bastille_zfs_enable}" = "YES" ]; then
+            if [ ! -z "${bastille_zfs_zpool}" ]; then
+                zfs create ${bastille_zfs_options} -o mountpoint=${bastille_jailsdir} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails
+            fi
+        else
+            mkdir -p "${bastille_jailsdir}"
+        fi
+    fi
 
-        echo -e "${COLOR_GREEN}Extracting FreeBSD ${RELEASE} lib32.txz.${COLOR_RESET}"
-        /usr/bin/tar -C "${bastille_releasesdir}/${RELEASE}" -xf "${bastille_cachedir}/${RELEASE}/lib32.txz"
+    ## ${bastille_logsdir}
+    if [ ! -d "${bastille_logsdir}" ]; then
+        if [ "${bastille_zfs_enable}" = "YES" ]; then
+            if [ ! -z "${bastille_zfs_zpool}" ]; then
+                zfs create ${bastille_zfs_options} -o mountpoint=${bastille_logsdir} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/logs
+            fi
+        else
+            mkdir -p "${bastille_logsdir}"
+        fi
+    fi
 
-        echo -e "${COLOR_GREEN}Bootstrap successful.${COLOR_RESET}"
-        echo -e "${COLOR_GREEN}See 'bastille --help' for available commands.${COLOR_RESET}"
-        echo
-    else
+    ## ${bastille_templatesdir}
+    if [ ! -d "${bastille_templatesdir}" ]; then
+        if [ "${bastille_zfs_enable}" = "YES" ]; then
+            if [ ! -z "${bastille_zfs_zpool}" ]; then
+                zfs create ${bastille_zfs_options} -o mountpoint=${bastille_templatesdir} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/templates
+            fi
+        else
+            mkdir -p "${bastille_templatesdir}"
+        fi
+    fi
+
+    ## ${bastille_releasesdir}
+    if [ ! -d "${bastille_releasesdir}" ]; then
+        if [ "${bastille_zfs_enable}" = "YES" ]; then
+            if [ ! -z "${bastille_zfs_zpool}" ]; then
+                zfs create ${bastille_zfs_options} -o mountpoint=${bastille_releasesdir} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases
+                mkdir -p "${bastille_releasesdir}/${RELEASE}"
+	        fi
+        else
+            mkdir -p "${bastille_releasesdir}"
+        fi
+    fi
+}
+
+bootstrap_release() {
+    ## if release exists, quit
+    if [ -f "${bastille_releasesdir}/${RELEASE}/COPYRIGHT" ]; then
         echo -e "${COLOR_RED}Bootstrap appears complete.${COLOR_RESET}"
         exit 1
     fi
+
+    for _archive in ${bastille_bootstrap_archives}; do
+        if [ -f "${bastille_cachedir}/${RELEASE}/${_archive}.txz" ]; then
+            echo -e "${COLOR_GREEN}Extracting FreeBSD ${RELEASE} ${_archive}.txz.${COLOR_RESET}"
+            /usr/bin/tar -C "${bastille_releasesdir}/${RELEASE}" -xf "${bastille_cachedir}/${RELEASE}/${_archive}.txz"
+        fi
+    done
+
+
+    for _archive in ${bastille_bootstrap_archives}; do
+        if [ ! -f "${bastille_cachedir}/${RELEASE}/${_archive}.txz" ]; then
+            fetch ${UPSTREAM_URL}/${_archive}.txz -o ${bastille_cachedir}/${RELEASE}/${_archive}.txz
+	fi
+
+        if [ -f "${bastille_cachedir}/${RELEASE}/${_archive}.txz" ]; then
+            echo -e "${COLOR_GREEN}Extracting FreeBSD ${RELEASE} ${_archive}.txz.${COLOR_RESET}"
+            /usr/bin/tar -C "${bastille_releasesdir}/${RELEASE}" -xf "${bastille_cachedir}/${RELEASE}/${_archive}.txz"
+	fi
+    done
+    echo
+
+    echo -e "${COLOR_GREEN}Bootstrap successful.${COLOR_RESET}"
+    echo -e "${COLOR_GREEN}See 'bastille --help' for available commands.${COLOR_RESET}"
+    echo
 }
 
 bootstrap_template() {
@@ -90,24 +154,11 @@ bootstrap_template() {
     _repo=${BASTILLE_TEMPLATE_REPO}
     _template=${bastille_templatesdir}/${_user}/${_repo}
 
-    ## verify essential directories are in place
-    if [ ! -d ${bastille_jailsdir} ]; then
-        mkdir -p ${bastille_jailsdir}
-    fi
-    if [ ! -d ${bastille_logsdir} ]; then
-        mkdir -p ${bastille_logsdir}
-    fi
-    if [ ! -d ${bastille_templatesdir} ]; then
-        mkdir -p ${bastille_templatesdir}
-    fi
-    if [ ! -d ${_template} ]; then
-        mkdir -p ${_template}
-    fi
-
     ## support for non-git
     if [ ! -x /usr/local/bin/git ]; then
 	echo -e "${COLOR_RED}We're gonna have to use fetch. Strap in.${COLOR_RESET}"
 	echo -e "${COLOR_RED}Not yet implemented...${COLOR_RESET}"
+	exit 1
     fi
 
     ## support for git
@@ -135,6 +186,8 @@ bootstrap_template() {
             echo
         fi
     done
+
+    # template overlay
     if [ -s ${_template}/CONFIG ]; then
         _hook_validate=$((_hook_validate+1))
         echo -e "${COLOR_GREEN}Detected CONFIG hook.${COLOR_RESET}"
@@ -162,24 +215,33 @@ bootstrap_template() {
 
 #Usage: bastille bootstrap [release|template].${COLOR_RESET}"
 
+HW_MACHINE=$(sysctl hw.machine | awk '{ print $2 }')
+HW_MACHINE_ARCH=$(sysctl hw.machine_arch | awk '{ print $2 }')
+
 # Filter sane release names
 case "${1}" in
-10.1-RELEASE|10.2-RELEASE|10.3-RELEASE|10.4-RELEASE)
-    RELEASE="${1}"
-    bootstrap_release
-    echo -e "${COLOR_RED}WARNING: FreeBSD 10.1-RELEASE HAS PASSED ITS END-OF-LIFE DATE.${COLOR_RESET}"
-    ;;
-11.0-RELEASE|11.1-RELEASE)
-    RELEASE="${1}"
-    bootstrap_release
-    echo -e "${COLOR_RED}WARNING: FreeBSD 11.0-RELEASE HAS PASSED ITS END-OF-LIFE DATE.${COLOR_RESET}"
-    ;;
 11.2-RELEASE)
     RELEASE="${1}"
+    UPSTREAM_URL="http://ftp.freebsd.org/pub/FreeBSD/releases/${HW_MACHINE}/${HW_MACHINE_ARCH}/11.2-RELEASE/"
+    bootstrap_directories
     bootstrap_release
     ;;
 12.0-RELEASE)
     RELEASE="${1}"
+    UPSTREAM_URL="http://ftp.freebsd.org/pub/FreeBSD/releases/${HW_MACHINE}/${HW_MACHINE_ARCH}/12.0-RELEASE/"
+    bootstrap_directories
+    bootstrap_release
+    ;;
+11-stable-LAST)
+    RELEASE="${1}"
+    UPSTREAM_URL="https://installer.hardenedbsd.org/pub/HardenedBSD/releases/${HW_MACHINE}/${HW_MACHINE_ARCH}/hardenedbsd-11-stable-LAST/"
+    bootstrap_directories
+    bootstrap_release
+    ;;
+12-stable-LAST)
+    RELEASE="${1}"
+    UPSTREAM_URL="https://installer.hardenedbsd.org/pub/HardenedBSD/releases/${HW_MACHINE}/${HW_MACHINE_ARCH}/hardenedbsd-12-stable-LAST/"
+    bootstrap_directories
     bootstrap_release
     ;;
 http?://github.com/*/*)
@@ -188,6 +250,7 @@ http?://github.com/*/*)
     BASTILLE_TEMPLATE_REPO=$(echo "${1}" | awk -F / '{ print $5 }')
     echo -e "${COLOR_GREEN}Template: ${1}${COLOR_RESET}"
     echo
+    bootstrap_directories
     bootstrap_template
     ;;
 *)

usr/local/share/bastille/cmd.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without

usr/local/share/bastille/console.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without

usr/local/share/bastille/cp.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without

usr/local/share/bastille/create.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
@@ -41,6 +41,7 @@ running_jail() {
 }
 
 validate_ip() {
+    local IFS
     ip=${IP}
     
     if expr "$ip" : '[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*$' >/dev/null; then
@@ -65,9 +66,19 @@ create_jail() {
     bastille_jail_fstab="${bastille_jailsdir}/${NAME}/fstab"  ## file
     bastille_jail_conf="${bastille_jailsdir}/${NAME}/jail.conf"  ## file
     bastille_jail_log="${bastille_logsdir}/${NAME}_console.log"  ## file
-    bastille_jail_rc_conf="${bastille_jailsdir}/${NAME}/root/etc/rc.conf.local" ## file
+    bastille_jail_rc_conf="${bastille_jailsdir}/${NAME}/root/etc/rc.conf" ## file
     bastille_jail_resolv_conf="${bastille_jailsdir}/${NAME}/root/etc/resolv.conf" ## file
 
+    if [ ! -d "${bastille_jailsdir}/${NAME}" ]; then
+        if [ "${bastille_zfs_enable}" = "YES" ]; then
+            if [ ! -z "${bastille_zfs_zpool}" ]; then
+                zfs create ${bastille_zfs_options} -o mountpoint=${bastille_jailsdir}/${NAME} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}
+            fi
+        else
+            mkdir -p "${bastille_jailsdir}/${NAME}"
+        fi
+    fi
+
     if [ ! -d "${bastille_jail_base}" ]; then
         mkdir -p "${bastille_jail_base}"
         mkdir -p "${bastille_jail_path}/usr/home"
@@ -83,14 +94,14 @@ create_jail() {
     fi
 
     if [ ! -f "${bastille_jail_conf}" ]; then
-	echo -e "interface = lo1;\nhost.hostname = ${NAME};\nexec.consolelog =\
-	${bastille_jail_log};\npath = ${bastille_jail_path};\nip6 =\
-	disable;\nsecurelevel = 2;\ndevfs_ruleset = 4;\nenforce_statfs =\
-	2;\nexec.start = '/bin/sh /etc/rc';\nexec.stop = '/bin/sh\
-	/etc/rc.shutdown';\nexec.clean;\nmount.devfs;\nmount.fstab =\
-	${bastille_jail_fstab};\n\n${NAME} {\n\tip4.addr = ${IP};\n}" >\
-	${bastille_jail_conf}
-    fi
+echo -e "interface = lo1;\nhost.hostname = ${NAME};\nexec.consolelog = \
+${bastille_jail_log};\npath = ${bastille_jail_path};\nip6 = \
+disable;\nsecurelevel = 2;\ndevfs_ruleset = 4;\nenforce_statfs = \
+2;\nexec.start = '/bin/sh /etc/rc';\nexec.stop = '/bin/sh \
+/etc/rc.shutdown';\nexec.clean;\nmount.devfs;\nmount.fstab = \
+${bastille_jail_fstab};\n\n${NAME} {\n\tip4.addr = ${IP};\n}" > \
+${bastille_jail_conf}
+fi
 
     ## using relative paths here
     ## MAKE SURE WE'RE IN THE RIGHT PLACE
@@ -124,22 +135,25 @@ create_jail() {
     cp -a "${bastille_releasesdir}/${RELEASE}/usr/obj" "${bastille_jail_path}"
     if [ "${RELEASE}" == "11.2-RELEASE" ]; then cp -a "${bastille_releasesdir}/${RELEASE}/usr/tests" "${bastille_jail_path}"; fi
 
-    ## rc.conf.local
+    ## rc.conf
     ##  + syslogd_flags="-ss"
     ##  + sendmail_none="NONE"
     ##  + cron_flags="-J 60" ## cedwards 20181118
-    ## resolv.conf
     if [ ! -f "${bastille_jail_rc_conf}" ]; then
-        echo -e "syslogd_flags=\"-ss\"\nsendmail_enable=\"NONE\"" > ${bastille_jail_rc_conf}
-	echo -e "cron_flags=\"-J 60\"" >> ${bastille_jail_rc_conf}
+        touch "${bastille_jail_rc_conf}"
+        /usr/sbin/sysrc -f "${bastille_jail_rc_conf}" syslogd_flags=-ss
+        /usr/sbin/sysrc -f "${bastille_jail_rc_conf}" sendmail_enable=NONE
+        /usr/sbin/sysrc -f "${bastille_jail_rc_conf}" cron_flags='-J 60'
+        echo
     fi
 
+    ## resolv.conf (default: copy from host)
     if [ ! -f "${bastille_jail_resolv_conf}" ]; then
-        echo -e "nameserver 1.1.1.1\nnameserver 1.0.0.1\noptions edns0 rotate" > ${bastille_jail_resolv_conf}
+        cp -L ${bastille_resolv_conf} ${bastille_jail_resolv_conf}
     fi
 
-    ## TZ: UTC
-    ln -s /usr/share/zoneinfo/Etc/UTC etc/localtime
+    ## TZ: configurable (default: etc/UTC)
+    ln -s /usr/share/zoneinfo/${bastille_tzdata} etc/localtime
 }
 
 # Handle special-case commands first.
@@ -159,50 +173,17 @@ IP="$3"
 
 ## verify release
 case "${RELEASE}" in
-10.1-RELEASE)
-    RELEASE="10.1-RELEASE"
-	;;
-10.2-RELEASE)
-    RELEASE="10.2-RELEASE"
-	;;
-10.3-RELEASE)
-    RELEASE="10.3-RELEASE"
-	;;
-10.4-RELEASE)
-    RELEASE="10.4-RELEASE"
-    ;;
-11.0-RELEASE)
-    RELEASE="11.0-RELEASE"
-    ;;
-11.1-RELEASE)
-    RELEASE="11.1-RELEASE"
-    ;;
-11.2-RELEASE)
+11.2-RELEASE|11.2-release)
     RELEASE="11.2-RELEASE"
     ;;
-12.0-RELEASE)
+12.0-RELEASE|12.0-release)
     RELEASE="12.0-RELEASE"
     ;;
-12.0-BETA1)
-    RELEASE="12.0-BETA1"
+11-stable-LAST|11-STABLE-last|11-stable-last|11-STABLE-LAST)
+    RELEASE="11-stable-LAST"
     ;;
-12.0-BETA2)
-    RELEASE="12.0-BETA2"
-    ;;
-12.0-BETA3)
-    RELEASE="12.0-BETA3"
-    ;;
-12.0-BETA4)
-    RELEASE="12.0-BETA4"
-    ;;
-12.0-RC1)
-    RELEASE="12.0-RC1"
-    ;;
-12.0-RC2)
-    RELEASE="12.0-RC2"
-    ;;
-12.0-RC3)
-    RELEASE="12.0-RC3"
+12-stable-LAST|12-STABLE-last|12-stable-last|12-STABLE-LAST)
+    RELEASE="12-stable-LAST"
     ;;
 *)
     echo -e "${COLOR_RED}Unknown Release.${COLOR_RESET}"
@@ -216,6 +197,12 @@ if [ -d "${bastille_jailsdir}/${NAME}/root/.bastille" ]; then
     exit 1
 fi
 
+## check for required release
+if [ ! -d "${bastille_releasesdir}/${RELEASE}" ]; then
+    echo -e "${COLOR_RED}Release must be bootstrapped first; see `bastille bootstrap`.${COLOR_RESET}"
+    exit 1
+fi
+
 ## check if a running jail matches name
 if running_jail ${NAME}; then
     echo -e "${COLOR_RED}A running jail matches name.${COLOR_RESET}"

usr/local/share/bastille/destroy.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
@@ -53,10 +53,24 @@ destroy_jail() {
 
     if [ -d "${bastille_jail_base}" ]; then
         echo -e "${COLOR_GREEN}Deleting Jail: ${NAME}.${COLOR_RESET}"
+        if [ "${bastille_zfs_enable}" = "YES" ]; then
+            if [ ! -z "${bastille_zfs_zpool}" ]; then
+                zfs destroy ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}
+            fi
+        fi
+
+        ## removing all flags
         chflags -R noschg ${bastille_jail_base}
+
+        ## remove jail base
         rm -rf ${bastille_jail_base}
-        echo -e "${COLOR_GREEN}Note: jail console logs not destroyed.${COLOR_RESET}"
-	echo -e "${COLOR_GREEN}${bastille_jail_log}${COLOR_RESET}"
+
+        ## archive jail log
+        if [ -f "${bastille_jail_log}" ]; then
+            mv ${bastille_jail_log} ${bastille_jail_log}-$(date +%F)
+            echo -e "${COLOR_GREEN}Note: jail console logs archived.${COLOR_RESET}"
+            echo -e "${COLOR_GREEN}${bastille_jail_log}-$(date +%F)${COLOR_RESET}"
+        fi
         echo
     fi
 }

usr/local/share/bastille/freebsd_dist_fetch.sh

@@ -1,52 +0,0 @@
-#!/bin/sh
-# https://pastebin.com/T6eThbKu
-
-. /usr/local/etc/bastille/bastille.conf
-
-DEVICE_SELF_SCAN_ALL=NO
-[ "$_SCRIPT_SUBR" ] || . /usr/share/bsdconfig/script.subr
-usage(){ echo "Usage: ${0##*/} [-r releaseName] [dists ...]" >&2; exit 1; }
-while getopts hr: flag; do
-	case "$flag" in
-	r) releaseName="$OPTARG" ;;
-	*) usage
-	esac
-done
-shift $(( $OPTIND - 1 ))
-nonInteractive=1
-MEDIA_TIMEOUT=3 # because ftp.f.o has no SRV records
-_ftpPath=ftp://ftp.freebsd.org
-mediaSetFTP
-mediaOpen
-set -e
-#debug=1
-REL_DIST=${bastille_cachedir}/$releaseName
-download() # $src to $dest
-{
-	size=$( f_device_get device_media "$1" $PROBE_SIZE )
-	f_device_get device_media "$1" | dpv -kb "BastilleBSD" \
-		-t "bootstrap" -p "Downloading $releaseName" \
-		-o "$3" "$size:$1"
-}
-sign() # $file
-{
-	dpv -kb "BastilleBSD" -t "bootstrap" \
-		-p "Signing $releaseName" -mx "sha256 >&2" \
-		"$size:${1##*/}" "$1" 2>&1 >&$TERMINAL_STDOUT_PASSTHRU
-}
-mkdir -p $REL_DIST
-MANIFEST=$REL_DIST/MANIFEST
-download MANIFEST to $MANIFEST
-dists="$*"
-for dist in ${dists:-$( awk '$0=$4' $MANIFEST )}; do
-	eval "$( awk -v dist=$dist '$4 == dist {
-		print "distfile=" $1
-		print "sig=" $2
-		exit found = 1
-	} END { exit ! found }' $MANIFEST )"
-	destfile=$REL_DIST/$distfile
-	download $distfile to $destfile
-	[ "$( sign $destfile )" = $sig ] ||
-		f_die "$distfile signature mismatch!"
-done
-f_dialog_info "All dists successfully downloaded/verified."

usr/local/share/bastille/htop.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without

usr/local/share/bastille/list.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
@@ -37,7 +37,7 @@ usage() {
 }
 
 if [ $# -eq 0 ]; then
-    jls -N
+    jls -N | grep -v 'poudriere'
 fi
 
 if [ $# -gt 0 ]; then

usr/local/share/bastille/pkg.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without

usr/local/share/bastille/restart.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without

usr/local/share/bastille/service.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without

usr/local/share/bastille/start.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without

usr/local/share/bastille/stop.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without

usr/local/share/bastille/sysrc.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without

usr/local/share/bastille/template.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without

usr/local/share/bastille/top.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without

usr/local/share/bastille/update.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
@@ -49,6 +49,11 @@ fi
 
 RELEASE=$1
 
+if [ ! -z "$(freebsd-version | grep -i HBSD)" ]; then
+    echo -e "${COLOR_RED}Not yet supported on HardenedBSD.${COLOR_RESET}"
+    exit 1
+fi
+
 if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then
     freebsd-update -b "${bastille_releasesdir}/${RELEASE}" fetch install --currently-running ${RELEASE}
 else

usr/local/share/bastille/upgrade.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
@@ -50,6 +50,12 @@ fi
 RELEASE=$1
 NEWRELEASE=$2
 
+if [ ! -z "$(freebsd-version | grep -i HBSD)" ]; then
+    echo -e "${COLOR_RED}Not yet supported on HardenedBSD.${COLOR_RESET}"
+    exit 1
+fi
+
+
 if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then
     freebsd-update -b "${bastille_releasesdir}/${RELEASE}" -r ${NEWRELEASE} upgrade
 else

usr/local/share/bastille/verify.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
@@ -49,6 +49,11 @@ fi
 
 RELEASE=$1
 
+if [ ! -z "$(freebsd-version | grep -i HBSD)" ]; then
+    echo -e "${COLOR_RED}Not yet supported on HardenedBSD.${COLOR_RESET}"
+    exit 1
+fi
+
 if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then
     freebsd-update -b "${bastille_releasesdir}/${RELEASE}" IDS
 else