Add system "xb000-0" configuration files

xb000-0/ejabberd/ejabberd.yml

@@ -0,0 +1,310 @@
+# Inferencium - xb000-0
+# ejabberd - Configuration
+
+# Copyright 2022 Jake Winters
+# SPDX-License-Identifier: BSD-3-Clause
+
+# Version: 6.0.0.11
+
+
+# Hosts
+hosts:
+  - inferencium.net
+  - dissensionclub.net
+
+# Hosts configuration
+host_config:
+  inferencium.net:
+    auth_method: internal
+  dissensionclub.net:
+    auth_method: internal
+
+# Language
+language: en
+
+# Security
+## Passwords
+auth_password_format: scram
+auth_scram_hash: sha256
+### Upgrade password hashes to SHA-512 when possible; currently infeasible due to current users
+### having passwords created using SHA-256.
+#auth_scram_hash: sha512
+
+## Server-to-Server
+s2s_dhfile: "/etc/ssl/inferencium.net/dh-3072.pem"
+s2s_ciphers:
+  - "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256"
+s2s_protocol_options:
+  - no_sslv2
+  - no_sslv3
+  - no_tlsv1
+  - no_tlsv1_1
+  - cipher_server_preferences
+s2s_use_starttls: required
+s2s_tls_compression: false
+s2s_zlib: false
+
+allow_multiple_connections: false
+
+# Logging
+loglevel: info
+hide_sensitive_log_data: true
+
+# Certificates
+ca_file: "/etc/ssl/certs/ca-certificates.crt"
+certfiles:
+  ## dissensionclub.net
+  - "/etc/ssl/dissensionclub.net/ejabberd.pem"
+  ## inferencium.net
+  - "/etc/ssl/inferencium.net/ejabberd.pem"
+  - "/etc/ssl/hfu.xmpp.inferencium.net/ejabberd.pem"
+  - "/etc/ssl/muc.xmpp.inferencium.net/ejabberd.pem"
+  - "/etc/ssl/xmpp.inferencium.net/ejabberd.pem"
+
+listen:
+  -
+    port: 5222
+    ip: "::"
+    module: ejabberd_c2s
+    dhfile: "/etc/ssl/inferencium.net/dh-3072.pem"
+    protocol_options:
+      - no_sslv2
+      - no_sslv3
+      - no_tlsv1
+      - no_tlsv1_1
+    ciphers: "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256"
+    starttls: true
+    starttls_required: true
+    tls_compression: false
+    max_stanza_size: 262144
+    shaper: c2s_shaper
+    access: c2s
+  -
+    port: 5223
+    ip: "::"
+    module: ejabberd_c2s
+    dhfile: "/etc/ssl/inferencium.net/dh-3072.pem"
+    tls: true
+    protocol_options:
+      - no_sslv2
+      - no_sslv3
+      - no_tlsv1
+      - no_tlsv1_1
+    ciphers: "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256"
+    tls_compression: false
+    max_stanza_size: 262144
+    shaper: c2s_shaper
+    access: c2s
+  -
+    port: 5269
+    ip: "::"
+    module: ejabberd_s2s_in
+    max_stanza_size: 524288
+  -
+    port: 5443
+    ip: "::"
+    module: ejabberd_http
+    tls: true
+    request_handlers:
+      /admin: ejabberd_web_admin
+      /api: mod_http_api
+      /bosh: mod_bosh
+      /captcha: ejabberd_captcha
+      /upload: mod_http_upload
+      /ws: ejabberd_http_ws
+    custom_headers:
+      "Access-Control-Allow-Origin": "*"
+      "Access-Control-Allow-Methods": "GET,HEAD,OPTIONS,PUT"
+      "Access-Control-Allow-Headers": "Authorization"
+      "Access-Control-Allow-Headers": "Content-Type, Origin, X-Requested-Width"
+      "Access-Control-Allow-Credentials": "true"
+  -
+    port: 5280
+    ip: "::"
+    module: ejabberd_http
+    request_handlers:
+      /admin: ejabberd_web_admin
+  -
+    port: 3478
+    ip: "::"
+    transport: udp
+    module: ejabberd_stun
+    use_turn: true
+    ## The server's public IPv4 address:
+    # turn_ipv4_address: "203.0.113.3"
+    ## The server's public IPv6 address:
+    # turn_ipv6_address: "2001:db8::3"
+
+acl:
+  local:
+    user_regexp: ""
+  loopback:
+    ip:
+      - 127.0.0.0/8
+      - ::1/128
+  admin:
+    user:
+      - "admin@inferencium.net"
+
+access_rules:
+  local:
+    allow: local
+  c2s:
+    deny: blocked
+    allow: all
+  announce:
+    allow: admin
+  configure:
+    allow: admin
+  muc_create:
+    allow: local
+  pubsub_createnode:
+    allow: local
+  trusted_network:
+    allow: loopback
+
+api_permissions:
+  "console commands":
+    from:
+      - ejabberd_ctl
+    who: all
+    what: "*"
+  "admin access":
+    who:
+      access:
+        allow:
+          - acl: loopback
+          - acl: admin
+      oauth:
+        scope: "ejabberd:admin"
+        access:
+          allow:
+            - acl: loopback
+            - acl: admin
+    what:
+      - "*"
+      - "!stop"
+      - "!start"
+  "public commands":
+    who:
+      ip: 127.0.0.1/8
+    what:
+      - status
+      - connected_users_number
+
+shaper:
+  normal:
+    rate: 3000
+    burst_size: 20000
+  fast: 100000
+
+shaper_rules:
+  max_user_sessions: 10
+  max_user_offline_messages:
+    5000: admin
+    100: all
+  c2s_shaper:
+    none: admin
+    normal: all
+  s2s_shaper: fast
+
+modules:
+  mod_adhoc: {}
+  mod_admin_extra: {}
+  mod_announce:
+    access: announce
+  mod_avatar: {}
+  mod_blocking: {}
+  mod_bosh: {}
+  mod_caps: {}
+  mod_carboncopy: {}
+  mod_client_state: {}
+  mod_configure: {}
+  mod_disco: {}
+  mod_fail2ban: {}
+  mod_http_api: {}
+  mod_http_upload:
+    name: HTTP File Upload
+    access: local
+    custom_headers:
+      "Access-Control-Allow-Origin": "*"
+        #"Access-Control-Allow-Origin": "https://@HOST@"
+      "Access-Control-Allow-Methods": "GET,HEAD,OPTIONS,PUT"
+      "Access-Control-Allow-Headers": "Content-Type"
+    docroot: /var/lib/ejabberd/upload/@HOST@
+    dir_mode: "2750"
+    file_mode: "0640"
+    max_size: 67108864
+    put_url: https://@HOST@:5443/upload
+    thumbnail: false
+  mod_last: {}
+  mod_mam:
+    assume_mam_usage: true
+    default: always
+  mod_mqtt: {}
+  mod_muc:
+    host: muc.xmpp.inferencium.net
+    access:
+      - allow
+    access_admin:
+      - allow: admin
+    access_create: muc_create
+    access_persistent: muc_create
+    access_mam:
+      - allow
+    default_room_options:
+      allow_private_messages: true
+#      allow_private_messages_from_visitors: nobody
+#      allow_voice_requests: false
+      anonymous: false
+      logging: false
+      mam: true
+#      members_only: true
+      persistent: true
+      public: false
+      public_list: false
+  mod_muc_admin: {}
+  mod_offline:
+    access_max_user_messages: max_user_offline_messages
+  mod_ping: {}
+  mod_privacy: {}
+  mod_private: {}
+  mod_proxy65:
+    access: local
+    max_connections: 5
+  mod_pubsub:
+    access_createnode: pubsub_createnode
+    plugins:
+      - flat
+      - pep
+    force_node_config:
+      ## Avoid buggy clients to make their bookmarks public
+      storage:bookmarks:
+        access_model: whitelist
+  mod_push: {}
+  mod_push_keepalive: {}
+  mod_register:
+    ip_access: trusted_network
+  mod_roster:
+    versioning: true
+  mod_s2s_dialback: {}
+  mod_shared_roster: {}
+  mod_stream_mgmt:
+    resend_on_timeout: if_offline
+  mod_stun_disco: {}
+  mod_vcard: {}
+  mod_vcard_xupdate: {}
+  mod_version:
+    show_os: false
+
+default_db: sql
+sql_type: pgsql
+sql_server: "localhost"
+sql_database: "ejabberd"
+sql_username: "ejabberd"
+sql_password: "[REDACTED]"
+
+### Local Variables:
+### mode: yaml
+### End:
+### vim: set filetype=yaml tabstop=8

xb000-0/nginx/gitea.conf

@@ -0,0 +1,53 @@
+# Inferencium - xb000-0
+# Nginx - Configuration - Gitea
+
+# Copyright 2022 Jake Winters
+# SPDX-License-Identifier: BSD-3-Clause
+
+# Version: 3.0.1.12
+
+
+# Server (unencrypted)
+server {
+		# General
+        server_name    git.inferencium.net;
+        listen         80;
+        listen         [::]:80;
+
+		# Location
+        location / {
+                    return	301 https://$server_name$request_uri;
+		}
+}
+
+# Server (TLS)
+server {
+		# General
+		server_name git.inferencium.net;
+		listen 443 ssl http2;
+		listen [::]:443 ssl http2;
+	
+		# Security
+		ssl_certificate /etc/letsencrypt/live/git.inferencium.net/fullchain.pem;
+		ssl_certificate_key /etc/letsencrypt/live/git.inferencium.net/privkey.pem;
+		ssl_protocols TLSv1.3;
+		ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256";
+		ssl_conf_command Ciphersuites "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256";
+		ssl_conf_command Options PrioritizeChaCha;
+		ssl_prefer_server_ciphers on;
+		ssl_ecdh_curve X25519;
+		add_header Strict-Transport-Security "max-age=126200000; includeSubDomains; preload";
+		add_header X-Frame-Options "DENY";
+		add_header X-Content-Type-Options nosniff;
+#		add_header Content-Security-Policy "default-src 'self'; img-src 'self'; media-src 'self'; object-src 'none'; script-src 'none'; connect-src 'none'; frame-src 'none'; style-src 'self'; font-src 'self'";
+		add_header Referrer-Policy no-referrer;
+
+		# Location
+		location / {
+		proxy_pass http://unix:/run/gitea/gitea.socket;
+		proxy_set_header Host $host;
+		proxy_set_header X-Real-IP $remote_addr;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+		proxy_set_header X-Forwarded-Proto $scheme;
+		}
+}

xb000-0/nginx/redirect-git.conf

@@ -0,0 +1,71 @@
+# Inferencium - xb000-0
+# Nginx - Configuration - Redirect - git.inferencium.net
+
+# Copyright 2023 Jake Winters
+# SPDX-License-Identifier: BSD-3-Clause
+
+# Version: 0.0.2.3
+
+
+# Server (unencrypted)
+server {
+		# General
+		server_name    git.inferencium.net;
+		listen         80;
+#		listen         [::]:80;
+		rewrite	^/(.*)$ https://inferencium.net/redirect-git.html permanent;
+		rewrite ^(/.*)\.html(\?.*)?$ $1$2 permanent;
+		rewrite ^/(.*)/$ /$1 permanent;
+}
+
+# Server (TLS)
+server {
+        # General
+        server_name git.inferencium.net;
+        listen 443 ssl http2;
+#       listen [::]:443 ssl http2;
+		rewrite ^/(.*)$ https://inferencium.net/redirect-git.html permanent;
+		rewrite ^(/.*)\.html(\?.*)?$ $1$2 permanent;
+		rewrite ^/(.*)/$ /$1 permanent;
+
+        # Security
+        ssl_trusted_certificate   /etc/letsencrypt/live/git.inferencium.net/chain.pem;
+        ssl_certificate           /etc/letsencrypt/live/git.inferencium.net/fullchain.pem;
+        ssl_certificate_key       /etc/letsencrypt/live/git.inferencium.net/privkey.pem;
+        ssl_protocols TLSv1.3;
+        ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256";
+        ssl_conf_command Ciphersuites "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256";
+		ssl_conf_command Options PrioritizeChaCha;
+        ssl_prefer_server_ciphers on;
+        ssl_ecdh_curve X25519;
+        ssl_stapling on;
+        ssl_stapling_verify on;
+		ssl_session_timeout 1d;
+        ssl_session_cache shared:MozSSL:10m;
+        ssl_session_cache shared:ssl_session_cache:10m;
+        ssl_session_tickets off;
+        add_header Strict-Transport-Security "max-age=126200000; includeSubDomains; preload";
+        add_header X-Frame-Options "DENY";
+        add_header X-Content-Type-Options nosniff;
+        add_header Content-Security-Policy "default-src 'self'; img-src 'self'; media-src 'self'; object-src 'none'; script-src 'none'; connect-src 'none'; frame-src 'none'; style-src 'self'; font-src 'self'";
+        add_header Referrer-Policy no-referrer;
+
+        client_max_body_size 16m;
+        ignore_invalid_headers off;
+
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+}
+
+# MIME types
+types {
+		text/html					html;
+		text/css					css;
+		text/xml					xml;
+		text/plain					txt;
+		image/png					png;
+		image/jpeg					jpg;
+}

xb000-0/nginx/website.conf

@@ -0,0 +1,79 @@
+# Inferencium - xb000-0
+# Nginx - Configuration - Website
+
+# Copyright 2022 Jake Winters
+# SPDX-License-Identifier: BSD-3-Clause
+
+# Version: 9.0.0.11
+
+
+# Server (unencrypted)
+server {
+		# General
+		server_name    inferencium.net;
+		listen         80;
+		listen         [::]:80;
+
+		# Location
+		location / {
+                    return	301 https://$server_name$request_uri;
+		}
+}
+
+# Server (TLS)
+server {
+        # General
+        server_name inferencium.net;
+        listen 443 ssl http2;
+        listen [::]:443 ssl http2;
+
+		# Location
+		location / {
+				root /srv/www/inferencium;
+				index index.html;
+				try_files $uri.html $uri $uri/ =404;
+				rewrite ^(/.*)\.html(\?.*)?$ $1$2 permanent;
+				rewrite ^/(.*)/$ /$1 permanent;
+		}
+
+        # Security
+        ssl_trusted_certificate   /etc/letsencrypt/live/inferencium.net/chain.pem;
+        ssl_certificate           /etc/letsencrypt/live/inferencium.net/fullchain.pem;
+        ssl_certificate_key       /etc/letsencrypt/live/inferencium.net/privkey.pem;
+        ssl_protocols TLSv1.3;
+        ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256";
+        ssl_conf_command Ciphersuites "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256";
+		ssl_conf_command Options PrioritizeChaCha;
+        ssl_prefer_server_ciphers on;
+        ssl_ecdh_curve X25519;
+        ssl_stapling on;
+        ssl_stapling_verify on;
+		ssl_session_timeout 1d;
+        ssl_session_cache shared:MozSSL:10m;
+        ssl_session_cache shared:ssl_session_cache:10m;
+        ssl_session_tickets off;
+        add_header Strict-Transport-Security "max-age=126200000; includeSubDomains; preload";
+        add_header X-Frame-Options "DENY";
+        add_header X-Content-Type-Options nosniff;
+        add_header Content-Security-Policy "default-src 'self'; img-src 'self'; media-src 'self'; object-src 'none'; script-src 'none'; connect-src 'none'; frame-src 'none'; style-src 'self'; font-src 'self'";
+        add_header Referrer-Policy no-referrer;
+
+        client_max_body_size 16m;
+        ignore_invalid_headers off;
+
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+}
+
+# MIME types
+types {
+		text/html					html;
+		text/css					css;
+		text/xml					xml;
+		text/plain					txt;
+		image/png					png;
+		image/jpeg					jpg;
+}

xb000-0/portage/env/basic.conf

@@ -0,0 +1,16 @@
+# Inferencium - xb000-0
+# Portage - env - Clang - Basic
+
+# Copyright 2023 Jake Winters
+# SPDX-License-Identifier: BSD-3-Clause
+
+# Version: 4.0.1.5
+
+
+# Flags
+## Compiler flags
+CFLAGS="-march=znver1 -mtune=znver1 --optimize=2 -pipe"
+CXXFLAGS="-march=znver1 -mtune=znver1 --optimize=2 -pipe"
+RUSTFLAGS="-C debuginfo=0 -C opt-level=2 -C target-cpu=znver1"
+## Linker flags
+LDFLAGS="-Wl,-O2 -Wl,--strip-all"

xb000-0/portage/env/gcc-basic.conf

@@ -0,0 +1,27 @@
+# Inferencium - xb000-0
+# Portage - env - GCC - Basic
+
+# Copyright 2023 Jake Winters
+# SPDX-License-Identifier: BSD-3-Clause
+
+# Version: 7.0.0.10
+
+
+# Toolchain
+AR="gcc-ar"
+CC="gcc"
+CPP="cpp"
+CXX="g++"
+LD="ld"
+NM="gcc-nm"
+RANLIB="gcc-ranlib"
+READELF="readelf"
+STRIP="strip"
+
+# Flags
+## Compiler flags
+CFLAGS="-march=znver1 -mtune=znver1 --optimize=2 -pipe"
+CXXFLAGS="-march=znver1 -mtune=znver1 --optimize=2 -pipe"
+RUSTFLAGS="-C debuginfo=0 -C opt-level=2 -C target-cpu=znver1"
+## Linker flags
+LDFLAGS="-Wl,-O2 -Wl,--strip-all"

xb000-0/portage/env/gcc-nolto.conf

@@ -0,0 +1,19 @@
+# Inferencium - xb000-0
+# Portage - env - GCC - No LTO
+
+# Copyright 2023 Jake Winters
+# SPDX-License-Identifier: BSD-3-Clause
+
+# Version: 8.0.0.12
+
+
+# Flags
+# Hardening flags
+C_SEC="-fstack-clash-protection -fstack-protector-strong -ftrivial-auto-var-init=zero -fwrapv"
+LD_SEC="-Wl,-z,defs -Wl,-z,now -Wl,-z,relro"
+## Compiler flags
+CFLAGS="-march=znver1 -mtune=znver1 --optimize=2 -pipe ${C_SEC}"
+CXXFLAGS="-march=znver1 -mtune=znver1 --optimize=2 -pipe ${C_SEC}"
+RUSTFLAGS="-C debuginfo=0 -C opt-level=2 -C target-cpu=znver1"
+## Linker flags
+LDFLAGS="-Wl,-O2 -Wl,--strip-all ${LD_SEC}"

xb000-0/portage/env/gcc.conf

@@ -0,0 +1,19 @@
+# Inferencium - xb000-0
+# Portage - env - GCC
+
+# Copyright 2023 Jake Winters
+# SPDX-License-Identifier: BSD-3-Clause
+
+# Version: 1.0.0.1
+
+
+# Flags
+# Hardening flags
+C_SEC="-fstack-clash-protection -fstack-protector-strong -ftrivial-auto-var-init=zero -fwrapv"
+LD_SEC="-Wl,-z,defs -Wl,-z,now -Wl,-z,relro"
+## Compiler flags
+CFLAGS="-flto=2 -march=znver1 -mtune=znver1 --optimize=2 -pipe ${C_SEC}"
+CXXFLAGS="-flto=2 -march=znver1 -mtune=znver1 --optimize=2 -pipe ${C_SEC}"
+RUSTFLAGS="-C debuginfo=0 -C lto -C opt-level=2 -C target-cpu=znver1"
+## Linker flags
+LDFLAGS="-Wl,-O2 -Wl,--strip-all ${LD_SEC}"

xb000-0/portage/env/nolto.conf

@@ -0,0 +1,19 @@
+# Inferencium - xb000-0
+# Portage - env - Clang - No LTO
+
+# Copyright 2023 Jake Winters
+# SPDX-License-Identifier: BSD-3-Clause
+
+# Version: 3.0.1.5
+
+
+# Flags
+## Hardening flags
+C_SEC="-fstack-clash-protection -fstack-protector-strong -ftrivial-auto-var-init=zero -fwrapv"
+LD_SEC="-Wl,-z,defs -Wl,-z,now -Wl,-z,relro"
+## Compiler flags
+CFLAGS="-march=znver1 -mtune=znver1 --optimize=2 -pipe ${C_SEC}"
+CXXFLAGS="-march=znver1 -mtune=znver1 --optimize=2 -pipe ${C_SEC}"
+RUSTFLAGS="-C debuginfo=0 -C opt-level=2 -C target-cpu=znver1"
+## Linker flags
+LDFLAGS="-Wl,-O2 -Wl,--strip-all ${LD_SEC}"

xb000-0/portage/env/notmpfs.conf

@@ -0,0 +1,11 @@
+# Inferencium - xb000-0
+# Portage - env - No tmpfs
+
+# Copyright 2023 Jake Winters
+# SPDX-License-Identifier: BSD-3-Clause
+
+# Version: 2.0.0.3
+
+
+# Directories
+PORTAGE_TMPDIR="/var/tmp/notmpfs/"

xb000-0/portage/make.conf

@@ -0,0 +1,59 @@
+# Inferencium - xb000-0
+# Portage - make.conf
+
+# Copyright 2023 Jake Winters
+# SPDX-License-Identifier: BSD-3-Clause
+
+# Version: 9.0.0.35
+
+
+# System
+## Appearance
+NOCOLOR="false"
+## CHOST
+CHOST="x86_64-gentoo-linux-musl"
+## Directories
+PORTAGE_LOGDIR="/var/log/portage/"
+DISTDIR="/var/cache/distfile/"
+PKGDIR="/var/cache/bin/"
+## Language
+LC_MESSAGES="C"
+LINGUAS="en"
+L10N="en-GB"
+## Gentoo mirrors
+## ONLY IPV4 + IPV6 DUAL-STACK MIRRORS SHOULD BE USED! IPV4 IS BEING PHASED OUT!
+## IF IPV6-ONLY IS SUPPORTED BY ISP, IPV6-ONLY MIRRORS SHOULD BE PREFERRED!
+#GENTOO_MIRRORS="rsync://mirror.bytemark.co.uk/gentoo/ rsync://rsync.mirrorservice.org/sites/distfiles.gentoo.org/ rsync://mirror.init7.net/gentoo/ rsync://ftp.iij.ad.jp/pub/linux/gentoo/ rsync://ftp.jaist.ac.jp/pub/Linux/gentoo/"
+## Emerge
+BINPKG_COMPRESS="zstd"
+BINPKG_COMPRESS_FLAGS="-7"
+CLEAN_DELAY="10"
+EMERGE_DEFAULT_OPTS="--ask --jobs 1 --load-average 2 --verbose"
+FEATURES="buildpkg ipc-sandbox merge-sync metadata-transfer network-sandbox pid-sandbox sandbox strict unknown-features-filter"
+MAKEOPTS="--jobs 2"
+PORTAGE_CHECKSUM_FILTER="-* sha256 sha512"
+PORTAGE_RSYNC_EXTRA_OPTS="--progress --verbose"
+
+
+# Flags
+## Hardening flags
+C_SEC="-fstack-clash-protection -fstack-protector-strong -ftrivial-auto-var-init=zero -fwrapv"
+LD_SEC="-Wl,-z,defs -Wl,-z,now -Wl,-z,relro"
+## Compiler flags
+CFLAGS="-flto=thin -march=znver1 -mtune=znver1 --optimize=2 -pipe ${C_SEC}"
+CXXFLAGS="-flto=thin -march=znver1 -mtune=znver1 --optimize=2 -pipe ${C_SEC}"
+RUSTFLAGS="-C debuginfo=0 -C embed-bitcode=y -C lto -C opt-level=2 -C target-cpu=znver1"
+## Linker flags
+LDFLAGS="-Wl,-O2 -Wl,--strip-all -Wl,--thinlto-jobs=2 ${LD_SEC}"
+## USE flags
+USE="clang dbus llvm-libunwind lto nftables postgres system-av1 system-harfbuzz system-icu system-jpeg system-libvpx system-llvm system-png system-webp verify-sig"
+USE="${USE} -jit -mysql -systemd -wayland -X"
+## CPU flags
+CPU_FLAGS_X86="aes avx avx2 f16c fma3 mmx mmxext pclmul popcnt rdrand sha sse sse2 sse3 sse4_1 sse4_2 sse4a ssse3"
+## ABI flags
+ABI_X86="64"
+## LLVM target flags
+LLVM_TARGETS="X86"
+## Nginx modules
+NGINX_MODULES_HTTP="access addition auth_basic auth_request autoindex browser cach_purge charset degradation echo fastcgi headers_more limit_conn limit_req memcached push_stream random_index referer rewrite scgi secure_link gunzip gzip gzip_static proxy slice"
+NGINX_MODULES_STREAM="access limit_conn ssl_preread return"

xb000-0/ssh/sshd_config

@@ -0,0 +1,122 @@
+# Inferencium
+# SSH - sshd Configuration
+
+# Copyright 2023 Jake Winters
+# SPDX-License-Identifier: BSD-3-Clause-Clear
+
+# Version: 0.0.1.1
+
+
+Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+# Keys
+HostKey /etc/ssh/ssh-host-ed25519
+HostKeyAlgorithms ssh-ed25519
+KexAlgorithms sntrup761x25519-sha512@openssh.com
+PubkeyAcceptedKeyTypes ssh-ed25519
+
+# Ciphers
+Ciphers chacha20-poly1305@openssh.com
+
+MACs -*
+
+# Logging
+#SyslogFacility AUTH
+#LogLevel INFO
+
+# Authentication
+LoginGraceTime 30s
+PermitRootLogin yes
+StrictModes yes
+MaxAuthTries 1
+MaxSessions 5
+
+PubkeyAuthentication yes
+
+# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+# but this is overridden so installations will only check .ssh/authorized_keys
+AuthorizedKeysFile .ssh/authorized_keys
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+PasswordAuthentication no
+PermitEmptyPasswords no
+
+# Change to no to disable s/key passwords
+KbdInteractiveAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the KbdInteractiveAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via KbdInteractiveAuthentication may bypass
+# the setting of "PermitRootLogin prohibit-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and KbdInteractiveAuthentication to 'no'.
+UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+#X11Forwarding no
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+PrintMotd no
+PrintLastLog no
+#TCPKeepAlive yes
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS no
+#PidFile /run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# override default of no subsystems
+Subsystem	sftp	/usr/lib/misc/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#	X11Forwarding no
+#	AllowTcpForwarding no
+#	PermitTTY no
+#	ForceCommand cvs server
+
+# Allow client to pass locale environment variables. #367017
+AcceptEnv LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
+
+# Allow client to pass COLORTERM to match TERM. #658540
+AcceptEnv COLORTERM