about summary refs log tree commit diff stats
path: root/tools/conf
diff options
context:
space:
mode:
Diffstat (limited to 'tools/conf')
-rw-r--r--tools/conf/etc/dnsmasq.conf23
-rw-r--r--tools/conf/etc/logrotate.conf315
-rw-r--r--tools/conf/etc/logrotate.d/dnsmasq11
-rw-r--r--tools/conf/etc/logrotate.d/gitolite12
-rw-r--r--tools/conf/etc/logrotate.d/letsencrypt7
-rw-r--r--tools/conf/etc/logrotate.d/nginx23
-rw-r--r--tools/conf/etc/logrotate.d/php-fpm5
-rw-r--r--tools/conf/etc/logrotate.d/postgres17
-rw-r--r--tools/conf/etc/logrotate.d/postgresql10
-rw-r--r--tools/conf/etc/nginx/nginx.conf112
-rw-r--r--tools/conf/etc/nginx/sites-enabled/default.conf106
-rw-r--r--tools/conf/etc/nginx/sites-enabled/email.c2.ank.conf61
-rw-r--r--tools/conf/etc/nginx/sites-enabled/forum.c2.ank.conf26
-rw-r--r--tools/conf/etc/nginx/sites-enabled/git.c2.ank.conf28
-rw-r--r--tools/conf/etc/nginx/sites-enabled/git.localhost.conf25
-rw-r--r--tools/conf/etc/nginx/sites-enabled/shop.c2.ank.conf84
-rw-r--r--tools/conf/etc/nginx/sites-enabled/task.c2.ank.conf21
-rw-r--r--tools/conf/etc/nginx/sites-enabled/wiki.c2.ank.conf43
-rw-r--r--tools/conf/etc/rc.conf6
-rw-r--r--tools/conf/etc/ssh/sshd_config33
-rw-r--r--tools/conf/etc/syslog-ng.conf294
-rw-r--r--tools/conf/srv/gitolite/.gitolite.rc2
-rwxr-xr-xtools/conf/srv/gitolite/deploy-web-doc2
-rw-r--r--tools/conf/srv/gitolite/deploy-web.sh2
-rw-r--r--tools/conf/srv/gitolite/gitolite.conf91
-rw-r--r--tools/conf/srv/pgsql/data/pg_hba.conf20
-rw-r--r--tools/conf/srv/pgsql/data/postgresql.conf129
27 files changed, 966 insertions, 542 deletions
diff --git a/tools/conf/etc/dnsmasq.conf b/tools/conf/etc/dnsmasq.conf
index c7dd4cd..b6267fa 100644
--- a/tools/conf/etc/dnsmasq.conf
+++ b/tools/conf/etc/dnsmasq.conf
@@ -69,7 +69,7 @@ no-poll
 # Add other name servers here, with domain specs if they are for
 # non-public domains.
 #server=/localnet/192.168.0.1
-#server=127.0.0.1#40
+#server=10.0.0.4#40
 #server=213.73.91.35
 #server=37.235.1.174
 #server=84.200.69.80
@@ -89,7 +89,6 @@ local=/ank/
 # The example below send any host in double-click.net to a local
 # web-server.
 address=/tribu.semdestino.org/10.0.0.4
-#address=/tribu.semdestino.org/192.168.1.5
 #host-record=tribu.semdestino.org,10.0.0.4
 #host-record=tribu.semdestino.org,192.168.1.67
 
@@ -128,9 +127,9 @@ interface=wlp7s0
 #except-interface=wlp7s0
 #except-interface=enp8s0
 
-# Or which to listen on by address (remember to include 127.0.0.1 if
+# Or which to listen on by address (remember to include 10.0.0.4 if
 # you use this.)
-#listen-address=127.0.0.1
+#listen-address=10.0.0.4
 #listen-address=10.0.0.254
 #listen-address=192.168.1.33
 
@@ -178,11 +177,17 @@ dhcp-option=15,ank
 # Same idea, but range rather then subnet
 #domain=reserved.thekelleys.org.uk,192.68.3.100,192.168.3.200
 
-#address=/.akamai.net/127.0.0.1
-address=/.firefox.com/127.0.0.1
-#address=/.google.com/127.0.0.1
-address=/.stripe.com/127.0.0.1
-address=/.mozilla.com/127.0.0.1
+address=/.akamai.net/10.0.0.4
+address=/.akamaitechnologies.com/10.0.0.4
+address=/.firefox.com/10.0.0.4
+#address=/.google.com/10.0.0.4
+address=/.stripe.com/10.0.0.4
+address=/.mozilla.com/10.0.0.4
+address=/.amazonaws.com/10.0.0.4
+address=/.amazontrust.com/10.0.0.4
+address=/.1e100.net/10.0.0.4
+address=/.1e100.net/10.0.0.4
+address=/.ank.sec-t4net-srv/10.0.0.4
 
 # Uncomment this to enable the integrated DHCP server, you need
 # to supply the range of addresses available for lease and optionally
diff --git a/tools/conf/etc/logrotate.conf b/tools/conf/etc/logrotate.conf
index 896b779..636dffb 100644
--- a/tools/conf/etc/logrotate.conf
+++ b/tools/conf/etc/logrotate.conf
@@ -9,13 +9,10 @@ rotate 4
 create
 
 # uncomment this if you want your log files compressed
-compress
+#compress
 
 olddir /var/log/old
-
-notifempty
-
-maxsize 5M
+maxsize 1M
 
 # some packages can drop log rotation information into 
 # this directory
@@ -23,111 +20,297 @@ include /etc/logrotate.d
 
 # few generic files to rotate
 /var/log/wtmp {
+    monthly
     create 0644 root root
-    rotate 5
+    rotate 1
 }
 
 /var/log/btmp {
+    monthly
     create 0600 root root
-    rotate 5
+    rotate 1
 }
 
 # system-specific logs may be also be configured here.
-/var/log/faillog {
-    maxsize 5M
+/var/log/auth {
+   missingok
+   notifempty
+   compress
+   delaycompress
+   sharedscripts
+   postrotate
+      /etc/init.d/syslog-ng reload
+   endscript
 }
 
-/var/log/lastlog {
-    maxsize 5M
+/var/log/sudo {
+   missingok
+   notifempty
+   compress
+   delaycompress
+   sharedscripts
+   postrotate
+      /etc/init.d/syslog-ng reload
+   endscript
 }
 
-/var/log/auth {
-    create 0644 root root
-    rotate 5
-    sharedscripts
+/var/log/cron {
+   missingok
+   notifempty
+   compress
+   delaycompress
+   sharedscripts
+   postrotate
+      /etc/init.d/syslog-ng reload
+   endscript
+}
+
+/var/log/daemon {
+   rotate 7
+   missingok
+   notifempty
+   compress
+   delaycompress
+   sharedscripts
+   postrotate
+      /etc/init.d/syslog-ng reload
+   endscript
+}
+
+/var/log/debug {
+   missingok
+   notifempty
+   compress
+   delaycompress
+   sharedscripts
+   postrotate
+      /etc/init.d/syslog-ng reload
+   endscript
+}
+
+/var/log/error {
+   missingok
+   notifempty
+   compress
+   delaycompress
+   sharedscripts
+   postrotate
+      /etc/init.d/syslog-ng reload
+   endscript
+}
+
+/var/log/iptables {
+    # uncomment this if you want your log files compressed
+    delaycompress
+    compress
     postrotate
-    if [ -f /var/run/syslog-ng.pid ]; then \
-    	kill -HUP `cat /var/run/syslog-ng.pid`; \
-    fi;
+        /etc/rc.d/syslog-ng reload >/dev/null
     endscript
 }
 
-/var/log/cron {
-    create 0644 root root
-    rotate 5
-    sharedscripts
+/var/log/kernel {
+   missingok
+   notifempty
+   compress
+   delaycompress
+   sharedscripts
+   postrotate
+      /etc/init.d/syslog-ng reload
+   endscript
+}
+
+/var/log/lpr {
+   missingok
+   notifempty
+   compress
+   delaycompress
+   sharedscripts
+   postrotate
+      /etc/init.d/syslog-ng reload
+   endscript
+}
+
+/var/log/mail.err {
+   missingok
+   notifempty
+   compress
+   delaycompress
+   sharedscripts
+   postrotate
+      /etc/init.d/syslog-ng reload
+   endscript
+}
+
+/var/log/mail.info {
+   missingok
+   notifempty
+   compress
+   delaycompress
+   sharedscripts
+   postrotate
+      /etc/init.d/syslog-ng reload
+   endscript
+}
+
+/var/log/mail {
+   missingok
+   notifempty
+   compress
+   delaycompress
+   sharedscripts
+   postrotate
+      /etc/init.d/syslog-ng reload
+   endscript
+}
+
+/var/log/mail.warn {
+   missingok
+   notifempty
+   compress
+   delaycompress
+   sharedscripts
+   postrotate
+      /etc/init.d/syslog-ng reload
+   endscript
+}
+
+/var/log/messages {
+   missingok
+   notifempty
+   compress
+   delaycompress
+   sharedscripts
+   postrotate
+      /etc/init.d/syslog-ng reload
+   endscript
+}
+
+
+/var/log/user {
+   missingok
+   notifempty
+   compress
+   delaycompress
+   sharedscripts
+   postrotate
+      /etc/init.d/syslog-ng reload
+   endscript
+}
+
+/var/log/uucp {
+   missingok
+   notifempty
+   compress
+   delaycompress
+   sharedscripts
+   postrotate
+      /etc/init.d/syslog-ng reload
+   endscript
+}
+
+/var/log/syslog-ng {
+   rotate 7
+   daily
+   compress
+   delaycompress
+   sharedscripts
+   postrotate
+      /etc/init.d/syslog-ng reload
+   endscript
+}
+
+/var/log/dnsmasq {
+    # uncomment this if you want your log files compressed
+    delaycompress
+    compress
     postrotate
-    if [ -f /var/run/syslog-ng.pid ]; then \
-    	kill -HUP `cat /var/run/syslog-ng.pid`; \
-    fi;
+        /etc/rc.d/syslog-ng reload >/dev/null
     endscript
 }
 
-/var/log/debug {
+/var/log/pgsql {
+    # create new (empty) log files after rotating old ones
     create 0644 root root
-    rotate 5
-    sharedscripts
+    # uncomment this if you want your log files compressed
+    delaycompress
+    compress
+    notifempty
+    maxsize 5M
     postrotate
-    if [ -f /var/run/syslog-ng.pid ]; then \
-    	kill -HUP `cat /var/run/syslog-ng.pid`; \
-    fi;
+        /etc/rc.d/syslog-ng reload >/dev/null
     endscript
 }
 
-/var/log/kernel {
-    rotate 5
-    create 0644 root root
-    sharedscripts
+/var/log/git-daemon {
+    # uncomment this if you want your log files compressed
+    delaycompress
+    compress
     postrotate
-    if [ -f /var/run/syslog-ng.pid ]; then \
-    	kill -HUP `cat /var/run/syslog-ng.pid`; \
-    fi;
+        /etc/rc.d/syslog-ng reload >/dev/null
     endscript
 }
 
-/var/log/daemon {
+/var/log/gitolite {
+    # uncomment this if you want your log files compressed
+    delaycompress
+    compress
+    postrotate
+        /etc/rc.d/syslog-ng reload >/dev/null
+    endscript
+}
+
+/var/log/php-fpm {
+    # uncomment this if you want your log files compressed
+    delaycompress
     compress
-    rotate 5
-    create 644 root root
-    sharedscripts
     postrotate
-    if [ -f /var/run/syslog-ng.pid ]; then \
-    	kill -HUP `cat /var/run/syslog-ng.pid`; \
-    fi;
+        /etc/rc.d/syslog-ng reload >/dev/null
     endscript
+}
 
+/var/log/php {
+    # uncomment this if you want your log files compressed
+    delaycompress
+    compress
+    postrotate
+        /etc/rc.d/syslog-ng reload >/dev/null
+    endscript
 }
 
-/var/log/messages {
-    rotate 5
-    create 0644 root root
-    sharedscripts
+/var/log/nginx_access {
+    # uncomment this if you want your log files compressed
+    delaycompress
+    compress
     postrotate
-    if [ -f /var/run/syslog-ng.pid ]; then \
-    	kill -HUP `cat /var/run/syslog-ng.pid`; \
-    fi;
+        /etc/rc.d/syslog-ng reload >/dev/null
     endscript
 }
 
-/var/log/mail {
-    create 0644 root root
-    rotate 5
-    sharedscripts
+/var/log/nginx_error {
+    # uncomment this if you want your log files compressed
+    delaycompress
+    compress
     postrotate
-    if [ -f /var/run/syslog-ng.pid ]; then \
-    	kill -HUP `cat /var/run/syslog-ng.pid`; \
-    fi;
+        /etc/rc.d/syslog-ng reload >/dev/null
     endscript
 }
 
-/var/log/user {
-    create 0644 root root
-    rotate 5
-    sharedscripts
+/var/log/nginx/tribu_error.log {
+    # uncomment this if you want your log files compressed
+    delaycompress
+    compress
+    olddir /var/log/old/nginx
     postrotate
-    if [ -f /var/run/syslog-ng.pid ]; then \
-    	kill -HUP `cat /var/run/syslog-ng.pid`; \
-    fi;
+        /etc/rc.d/syslog-ng reload >/dev/null
     endscript
 }
 
+/var/log/nginx/tribu_access.log {
+    # uncomment this if you want your log files compressed
+    delaycompress
+    compress
+    olddir /var/log/old/nginx
+    postrotate
+        /etc/rc.d/syslog-ng reload >/dev/null
+    endscript
+}
diff --git a/tools/conf/etc/logrotate.d/dnsmasq b/tools/conf/etc/logrotate.d/dnsmasq
deleted file mode 100644
index 3151ddc..0000000
--- a/tools/conf/etc/logrotate.d/dnsmasq
+++ /dev/null
@@ -1,11 +0,0 @@
-/var/log/dnsmasq {
-    weekly
-    create 0644 root root
-    rotate 5
-    sharedscripts
-    postrotate
-    if [ -f /var/run/syslog-ng.pid ]; then \
-    	kill -HUP `cat /var/run/syslog-ng.pid`; \
-    fi;
-    endscript
-}
diff --git a/tools/conf/etc/logrotate.d/gitolite b/tools/conf/etc/logrotate.d/gitolite
deleted file mode 100644
index 547d6b6..0000000
--- a/tools/conf/etc/logrotate.d/gitolite
+++ /dev/null
@@ -1,12 +0,0 @@
-/var/log/gitolite {
-    rotate 5
-    monthly
-    create 0644 root root
-    sharedscripts
-    postrotate
-    if [ -f /var/run/syslog-ng.pid ]; then \
-    	kill -HUP `cat /var/run/syslog-ng.pid`; \
-    fi;
-    endscript
-
-}
diff --git a/tools/conf/etc/logrotate.d/letsencrypt b/tools/conf/etc/logrotate.d/letsencrypt
new file mode 100644
index 0000000..ce73ebc
--- /dev/null
+++ b/tools/conf/etc/logrotate.d/letsencrypt
@@ -0,0 +1,7 @@
+/var/log/letsencrypt/*.log {
+    # uncomment this if you want your log files compressed
+    delaycompress
+    compress
+    olddir /var/log/old/letsencrypt
+    notifempty
+}
diff --git a/tools/conf/etc/logrotate.d/nginx b/tools/conf/etc/logrotate.d/nginx
deleted file mode 100644
index ae05445..0000000
--- a/tools/conf/etc/logrotate.d/nginx
+++ /dev/null
@@ -1,23 +0,0 @@
-/var/log/nginx/access.log {
-    weekly
-    create 0664 root www
-    rotate 5
-    sharedscripts
-    postrotate
-    if [ -f /var/run/syslog-ng.pid ]; then \
-    	kill -HUP `cat /var/run/syslog-ng.pid`; \
-    fi;
-    endscript
-}
-
-/var/log/nginx/error.log {
-    weekly
-    create 0644 root root
-    rotate 5
-    sharedscripts
-    postrotate
-    if [ -f /var/run/syslog-ng.pid ]; then \
-    	kill -HUP `cat /var/run/syslog-ng.pid`; \
-    fi;
-    endscript
-}
diff --git a/tools/conf/etc/logrotate.d/php-fpm b/tools/conf/etc/logrotate.d/php-fpm
deleted file mode 100644
index c778658..0000000
--- a/tools/conf/etc/logrotate.d/php-fpm
+++ /dev/null
@@ -1,5 +0,0 @@
-/var/log/php-fpm.log {
-    rotate 5
-    monthly
-    create 0644 root root
-}
diff --git a/tools/conf/etc/logrotate.d/postgres b/tools/conf/etc/logrotate.d/postgres
deleted file mode 100644
index fc59aad..0000000
--- a/tools/conf/etc/logrotate.d/postgres
+++ /dev/null
@@ -1,17 +0,0 @@
-/var/log/pgsql {
-    weekly
-    compress
-    delaycompress
-    rotate 10
-    notifempty
-    create 660 postgres postgres
-    sharedscripts
-    postrotate
-    if [ -f /var/run/syslog-ng.pid ]; then \
-    	kill -HUP `cat /var/run/syslog-ng.pid`; \
-    fi;
-    endscript
-
-}
-
-
diff --git a/tools/conf/etc/logrotate.d/postgresql b/tools/conf/etc/logrotate.d/postgresql
new file mode 100644
index 0000000..8c16bfa
--- /dev/null
+++ b/tools/conf/etc/logrotate.d/postgresql
@@ -0,0 +1,10 @@
+# this log is only used by postgresql at startup
+# before start using syslog so there is no need
+# to reload syslog-ng or syslog-ng
+/var/log/postgresql {
+    # uncomment this if you want your log files compressed
+    delaycompress
+    compress
+    notifempty
+    create 664 postgres postgres
+}
diff --git a/tools/conf/etc/nginx/nginx.conf b/tools/conf/etc/nginx/nginx.conf
index 8fca293..1339275 100644
--- a/tools/conf/etc/nginx/nginx.conf
+++ b/tools/conf/etc/nginx/nginx.conf
@@ -6,36 +6,36 @@
 user www;
 worker_processes auto;
 
-error_log /var/log/nginx/error.log;
+error_log syslog:server=unix:/dev/log debug;
 
 pid /var/run/nginx.pid;
 
-
 events {
     worker_connections  1024;
 }
 
-
 http {
     include       mime.types;
     default_type  application/octet-stream;
 
-    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
-    #                  '$status $body_bytes_sent "$http_referer" '
-    #                  '"$http_user_agent" "$http_x_forwarded_for"';
-
-    access_log /var/log/nginx/access.log;
-    error_log  /var/log/nginx/error.log;
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
 
     sendfile        on;
     #tcp_nopush     on;
 
-    client_max_body_size 8M;
-    keepalive_timeout  65;
-    client_body_timeout 12;
-    client_header_timeout 12;
-    send_timeout 65;
+    # Allow attach iso to wiki
+    #client_max_body_size 8M;
+    client_max_body_size 30M;
+    #keepalive_timeout  65;
+    keepalive_timeout  120;
+    #client_body_timeout 12;
+    client_body_timeout 24;
+    #client_header_timeout 12;
+    client_header_timeout 24;
 
+    send_timeout 65;
 
     gzip  on;
     gzip_vary on;
@@ -45,88 +45,6 @@ http {
     # gzip_http_version 1.1;
     gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
 
-
-    include /etc/nginx/conf.d/*.conf;
     include /etc/nginx/sites-enabled/*.conf;
-
-    #server {
-    #    listen       80;
-    #    server_name  localhost;
-    #
-    #    #charset koi8-r;
-    #
-    #    location / {
-    #        root   html;
-    #        index  index.html index.htm;
-    #    }
-    #
-    #    error_page  404              /404.html;
-    #
-    #    # redirect server error pages to the static page /50x.html
-    #    #
-    #    error_page   500 502 503 504  /50x.html;
-    #    location = /50x.html {
-    #        root   html;
-    #    }
-    #
-    #    # proxy the PHP scripts to Apache listening on 127.0.0.1:80
-    #    #
-    #    #location ~ \.php$ {
-    #    #    proxy_pass   http://127.0.0.1;
-    #    #}
-    #
-    #    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
-    #    #
-    #    #location ~ \.php$ {
-    #    #    root           html;
-    #    #    fastcgi_pass   127.0.0.1:9000;
-    #    #    fastcgi_index  index.php;
-    #    #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
-    #    #    include        fastcgi_params;
-    #    #}
-    #
-    #    # deny access to .htaccess files, if Apache's document root
-    #    # concurs with nginx's one
-    #    #
-    #    #location ~ /\.ht {
-    #    #    deny  all;
-    #    #}
-    #}
-
-
-    # another virtual host using mix of IP-, name-, and port-based configuration
-    #
-    #server {
-    #    listen       8000;
-    #    listen       somename:8080;
-    #    server_name  somename  alias  another.alias;
-
-    #    location / {
-    #        root   html;
-    #        index  index.html index.htm;
-    #    }
-    #}
-
-
-    # HTTPS server
-    #
-    #server {
-    #    listen       443 ssl;
-    #    server_name  localhost;
-
-    #    ssl_certificate      cert.pem;
-    #    ssl_certificate_key  cert.key;
-
-    #    ssl_session_cache    shared:SSL:1m;
-    #    ssl_session_timeout  5m;
-
-    #    ssl_ciphers  HIGH:!aNULL:!MD5;
-    #    ssl_prefer_server_ciphers  on;
-
-    #    location / {
-    #        root   html;
-    #        index  index.html index.htm;
-    #    }
-    #}
-
 }
+# End of file
diff --git a/tools/conf/etc/nginx/sites-enabled/default.conf b/tools/conf/etc/nginx/sites-enabled/default.conf
index c35b0cd..fb9fb8e 100644
--- a/tools/conf/etc/nginx/sites-enabled/default.conf
+++ b/tools/conf/etc/nginx/sites-enabled/default.conf
@@ -1,15 +1,13 @@
 server {
+    server_name tribu.semdestino.org;
 
-#listen 443 ssl http2;
-    listen 443 ssl;
+    listen 80 default_server;
+    listen 443 ssl default_server;
 
-#    listen 80;
-    server_name machine.example;
+    ssl_certificate /etc/letsencrypt/live/tribu.semdestino.org/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/tribu.semdestino.org/privkey.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/tribu.semdestino.org/chain.pem;
 
-#  listen [::]:443 ssl http2;
-    ssl_certificate /etc/letsencrypt/live/machine.example/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/machine.example/privkey.pem;
-    ssl_trusted_certificate /etc/letsencrypt/live/machine.example/chain.pem;
     ssl_session_timeout 1d;
     ssl_session_cache shared:SSL:50m;
     ssl_session_tickets off;
@@ -20,84 +18,62 @@ server {
     ssl_stapling on;
     ssl_stapling_verify on;
 
-    access_log /var/log/nginx/access.log;
-    error_log  /var/log/nginx/error.log;
+    access_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_vhost,nohostname main;
+    error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_vhost_err,nohostname debug;
 
-
-    root /srv/www;
-
-    location /ports/distfiles {
-        alias /usr/ports/distfiles;
-    }
-
-    location /ports/packages {
-        alias /usr/ports/distfiles;
-    }
+    root /etc/html/;
 
     location /doc {
         alias /srv/www/doc;
         index index.html;
     }
 
-    location /git/static {
-# static files (png/css) served from /usr/share/gitweb/static
-        alias /srv/www/gitweb/static;
-        expires 30d;
+    location /pub {
+        proxy_pass http://wiki.c2.ank:8080;
+    }
+
+    location /wiki {
+        proxy_pass http://wiki.c2.ank:8080;
     }
 
     location /git {
-        alias /srv/www/gitweb;
-        index gitweb.cgi;
-        fastcgi_split_path_info      ^/git()(/?.+)$;
-        fastcgi_param GITWEB_CONFIG  /etc/gitweb.conf;
-        fastcgi_param DOCUMENT_ROOT  /srv/www/gitweb;
-        fastcgi_param SCRIPT_NAME    /gitweb.cgi$fastcgi_path_info;
-
-        include fastcgi_params;
-        fastcgi_pass unix:/var/run/fcgiwrap.sock;
+        proxy_pass http://git.c2.ank:8080;
+    }
+
+    location /forum {
+        proxy_pass http://forum.c2.ank:8080;
     }
 
     location /task {
-        index index.php;
-        alias /srv/www/flyspray;
-        try_files $uri $uri/ index.php$is_args$args;
+        proxy_pass http://task.c2.ank:8080;
     }
 
-    location ~  ^/task(.+\.php)$ { ### This location block was the solution
-        alias /srv/www/flyspray;
-        fastcgi_split_path_info ^(.+\.php)(/.+)$;
-        fastcgi_index index.php;
-        try_files $uri /index.php =404;	
-        include /etc/nginx/fastcgi_params;
-        fastcgi_param SCRIPT_FILENAME $document_root$1;
-# fastcgi_pass unix:/var/run/php5-fpm.sock;
-        fastcgi_pass 127.0.0.1:9000;
+    location /shop {
+        proxy_pass http://shop.c2.ank:8080;
     }
 
-    location / {
-        alias /srv/www/pmwiki/;
-        index pmwiki.php;
-        try_files $uri $uri/ /pmwiki.php$is_args$args;
+    location /email {
+        proxy_pass http://email.c2.ank:8080;
     }
 
-# ACME challenge
-    location ^~ /.well-known {
-        allow all;
-        alias /srv/www/pmwiki/pub/cert/.well-known/;
-        default_type "text/plain";
-        try_files $uri =404;
+    location /mirror {
+        proxy_pass http://c1.ank;
     }
 
+    location /awstats {
+        proxy_pass http://awstats.c2.ank:8080;
+    }
+
+    location /stats {
+        proxy_pass http://stats.c2.ank:8080;
+    }
 
-    location ~ \.php$ {
-        alias /srv/www/pmwiki;
-        index pmwiki.php;
-        fastcgi_split_path_info ^(.+\.php)(/.+)$;
-        fastcgi_index pmwiki.php;
-        try_files $uri /pmwiki.php =404;
-        include /etc/nginx/fastcgi_params;
-        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-# fastcgi_pass unix:/var/run/php5-fpm.sock;
-        fastcgi_pass 127.0.0.1:9000;
+    # ACME challenge
+    location ^~ /.well-known {
+        proxy_pass http://wiki.c2.ank;
+    }
+
+    location / {
+        proxy_pass http://frontpage.c2.ank;
     }
 }
diff --git a/tools/conf/etc/nginx/sites-enabled/email.c2.ank.conf b/tools/conf/etc/nginx/sites-enabled/email.c2.ank.conf
new file mode 100644
index 0000000..3ae544c
--- /dev/null
+++ b/tools/conf/etc/nginx/sites-enabled/email.c2.ank.conf
@@ -0,0 +1,61 @@
+server {
+    listen 8080;
+    server_name email.c2.ank;
+
+#access_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_git,nohostname main;
+#error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_git_err,nohostname debug;
+#access_log /var/log/nginx/roundcube_access.log;
+#error_log /var/log/nginx/roundcube_error.log;
+
+
+
+    location /email {
+        alias /srv/www/email;
+        index index.php;
+        autoindex off;
+    }
+
+# Favicon
+    location ~ ^/email/favicon.ico$ {
+        root /srv/www/email/skins/classic/images;
+        log_not_found off;
+        access_log off;
+        expires max;
+    }
+# Robots file
+    location ~ ^/email/robots.txt {
+        allow all;
+        log_not_found off;
+        access_log off;
+    }
+# Deny Protected directories
+    location ~ ^/email/(config|temp|logs)/ {
+        deny all;
+    }
+    location ~ ^/email/(README|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
+        deny all;
+    }
+    location ~ ^/email/(bin|SQL)/ {
+        deny all;
+    }
+# Hide .md files
+    location ~ ^/email/(.+\.md)$ {
+        deny all;
+    }
+# Hide all dot files
+    location ~ ^/email/\. {
+        deny all;
+        access_log off;
+        log_not_found off;
+    }
+
+    location ~  /email/.*\.php {
+        alias /srv/www/email;
+        fastcgi_split_path_info ^(.+\.php)(/.+)$;
+        fastcgi_index index.php;
+        try_files $uri /index.php =404;
+        include /etc/nginx/fastcgi_params;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass 127.0.0.1:9000;
+    }
+}
diff --git a/tools/conf/etc/nginx/sites-enabled/forum.c2.ank.conf b/tools/conf/etc/nginx/sites-enabled/forum.c2.ank.conf
new file mode 100644
index 0000000..2ed362a
--- /dev/null
+++ b/tools/conf/etc/nginx/sites-enabled/forum.c2.ank.conf
@@ -0,0 +1,26 @@
+server {
+    listen 8080;
+    server_name forum.c2.ank;
+
+    #access_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_forum,nohostname main;
+    #error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_forum_err,nohostname debug;
+
+    root /srv/www/;
+
+    location /forum {
+        index index.php;
+        alias /srv/www/forum;
+        try_files $uri $uri/ index.php$is_args$args;
+    }
+
+    location ~  ^/forum(.+\.php)$ { ### This location block was the solution
+        alias /srv/www/forum;
+        fastcgi_split_path_info ^(.+\.php)(/.+)$;
+        fastcgi_index index.php;
+        try_files $uri /index.php =404;
+        include /etc/nginx/fastcgi_params;
+        fastcgi_param SCRIPT_FILENAME $document_root$1;
+# fastcgi_pass unix:/var/run/php5-fpm.sock;
+        fastcgi_pass 127.0.0.1:9000;
+    }
+}
diff --git a/tools/conf/etc/nginx/sites-enabled/git.c2.ank.conf b/tools/conf/etc/nginx/sites-enabled/git.c2.ank.conf
new file mode 100644
index 0000000..56e6412
--- /dev/null
+++ b/tools/conf/etc/nginx/sites-enabled/git.c2.ank.conf
@@ -0,0 +1,28 @@
+server {
+    listen 8080;
+    server_name git.c2.ank;
+
+    #access_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_git,nohostname main;
+    #error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_git_err,nohostname debug;
+
+    #access_log /var/log/nginx/git main;
+    #error_log /var/log/nginx/git_error debug;
+
+    root /srv/www/;
+
+    location /git/static {
+        # static files (png/css) served from /usr/share/gitweb/static
+        alias /srv/www/gitweb/static;
+    }
+
+    location /git {
+        alias /srv/www/gitweb;
+        index gitweb.cgi;
+        fastcgi_split_path_info      ^/git()(/?.+)$;
+        fastcgi_param GITWEB_CONFIG  /etc/gitweb.conf;
+        fastcgi_param DOCUMENT_ROOT  /srv/www/gitweb;
+        fastcgi_param SCRIPT_NAME    /gitweb.cgi$fastcgi_path_info;
+        include fastcgi_params;
+        fastcgi_pass unix:/var/run/fcgiwrap.sock;
+    }
+}
diff --git a/tools/conf/etc/nginx/sites-enabled/git.localhost.conf b/tools/conf/etc/nginx/sites-enabled/git.localhost.conf
deleted file mode 100644
index 910df66..0000000
--- a/tools/conf/etc/nginx/sites-enabled/git.localhost.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-server {
-    listen 443 ssl;
-
-    server_name git.localhost git.machine.example git.machine.example.org;
-
-    root /srv/www/gitweb;
-
-    location /static/ {
-        # static files (png/css) served from /usr/share/gitweb/static
-        root /usr/share/gitweb ;
-        expires 30d;
-    }
-
-    location / {
-        index gitweb.cgi
-        fastcgi_param GITWEB_CONFIG  /etc/gitweb.conf;
-        fastcgi_param DOCUMENT_ROOT  /srv/www/gitweb/;
-        fastcgi_param SCRIPT_NAME    /gitweb.cgi$fastcgi_path_info;
-        fastcgi_split_path_info      ^()(/?.+)$;
-
-        include fastcgi_params;
-        fastcgi_pass unix:/var/run/fcgiwrap.sock;
-     }
-
-}
diff --git a/tools/conf/etc/nginx/sites-enabled/shop.c2.ank.conf b/tools/conf/etc/nginx/sites-enabled/shop.c2.ank.conf
new file mode 100644
index 0000000..3a0aea1
--- /dev/null
+++ b/tools/conf/etc/nginx/sites-enabled/shop.c2.ank.conf
@@ -0,0 +1,84 @@
+server {
+    listen 8080;
+    server_name shop.c2.ank;
+
+
+    location ~ ^/shop/admin {
+        alias /srv/www/shop/upload/admin;
+        index index.php;
+
+        location ~ ^/shop/admin/config.php {
+            deny all;
+        }
+
+        location ~ \.php$ {
+            include /etc/nginx/fastcgi_params;
+            fastcgi_param SCRIPT_FILENAME $request_filename$1;
+            fastcgi_pass 127.0.0.1:9000;
+        }
+    }
+
+    location ^~ /shop {
+        alias /srv/www/shop/upload;
+        index index.php;
+        #try_files $uri $uri/ index.php$is_args$args;
+        #try_files index.php @opencart;
+
+        location ~ ^/shop/upload/image/data {
+            autoindex on;
+        }
+
+        location ~ ^/shop/config.php {
+            deny all;
+        }
+
+
+        location ~ ^/shop/admin/config.php {
+            deny all;
+        }
+
+# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
+#
+        location ~ ^/shop/\. {
+            deny all;
+            access_log off;
+            log_not_found off;
+        }
+        location ~ ^/shop/\.(jpg|jpeg|png|gif|css|js|ico)$ {
+            expires max;
+            log_not_found off;
+        }
+
+        location ~  \.php$ {
+            include /etc/nginx/fastcgi_params;
+            fastcgi_param SCRIPT_FILENAME $request_filename$1;
+            fastcgi_pass 127.0.0.1:9000;
+            #fastcgi_split_path_info ^(.+\.php)(/.+)$;
+            #fastcgi_split_path_info ^(.+\.php)(.*)$;
+            #fastcgi_index index.php;
+            #try_files $uri /index.php =404;
+    # fastcgi_pass unix:/var/run/php5-fpm.sock;
+        }
+
+    }
+   
+
+location @tribushop {
+        rewrite ^/shop/(.+)$ /shop/index.php?_route_=$1 last;
+    }
+
+    location /shop/engine {
+        deny all;
+    }
+
+    location ~ ^/shop/library {
+        deny all;
+    }
+
+    # Make sure files with the following extensions do not
+    # get loaded by nginx because nginx would display the
+    # source code, and these files can contain PASSWORDS!
+    location ~ ^/shop/\.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|.*ini|theme|tpl(\.php)?|xtmpl)$|^(\..*|Entries.*|Repository|Root|Tag|Template)$|\.php_ {
+            deny all;
+    }
+}
diff --git a/tools/conf/etc/nginx/sites-enabled/task.c2.ank.conf b/tools/conf/etc/nginx/sites-enabled/task.c2.ank.conf
new file mode 100644
index 0000000..2d62e96
--- /dev/null
+++ b/tools/conf/etc/nginx/sites-enabled/task.c2.ank.conf
@@ -0,0 +1,21 @@
+server {
+    listen 8080;
+    server_name task.c2.ank;
+
+    location /task {
+        index index.php;
+        alias /srv/www/task;
+        try_files $uri $uri/ index.php$is_args$args;
+    }
+
+    location ~  ^/task(.+\.php)$ { ### This location block was the solution
+        alias /srv/www/task;
+        fastcgi_split_path_info ^(.+\.php)(/.+)$;
+        fastcgi_index index.php;
+        try_files $uri /index.php =404;
+        include /etc/nginx/fastcgi_params;
+        fastcgi_param SCRIPT_FILENAME $document_root$1;
+# fastcgi_pass unix:/var/run/php5-fpm.sock;
+        fastcgi_pass 127.0.0.1:9000;
+    }
+}
diff --git a/tools/conf/etc/nginx/sites-enabled/wiki.c2.ank.conf b/tools/conf/etc/nginx/sites-enabled/wiki.c2.ank.conf
new file mode 100644
index 0000000..1504fa1
--- /dev/null
+++ b/tools/conf/etc/nginx/sites-enabled/wiki.c2.ank.conf
@@ -0,0 +1,43 @@
+server {
+    listen 8080;
+    server_name wiki.c2.ank;
+
+    #access_log syslog:server=unix:/dev/log,facility=daemon,tag=vh_tribu,nohostname main;
+    #error_log syslog:server=unix:/dev/log,facility=daemon,tag=vh_tribu_err,nohostname debug;
+
+    #access_log /var/log/nginx/wiki main;
+    #error_log /var/log/nginx/wiki_error debug;
+
+    root /srv/www/;
+
+    location /pub {
+        alias /srv/www/wiki/pub;
+    }
+    # ACME challenge
+    location ^~ /.well-known {
+        allow all;
+        alias /srv/www/wiki/pub/cert/.well-known/;
+        default_type "text/plain";
+        try_files $uri =404;
+    }
+
+    location @pmwiki {
+        rewrite ^/wiki/(.*) /wiki/pmwiki.php?n=$1;
+    }
+
+    location /wiki {
+        index pmwiki.php;
+        try_files $uri $uri/ @pmwiki;
+    }
+
+    location ~  ^\/wiki(.+\.php)$ {
+        index pmwiki.php;
+        fastcgi_split_path_info ^(.+\.php)(/.+)$;
+        fastcgi_index pmwiki.php;
+        try_files $uri /pmwiki.php =404;
+        include /etc/nginx/fastcgi_params;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+# fastcgi_pass unix:/var/run/php5-fpm.sock;
+        fastcgi_pass 127.0.0.1:9000;
+    }
+}
diff --git a/tools/conf/etc/rc.conf b/tools/conf/etc/rc.conf
index 2dbf272..192ef3e 100644
--- a/tools/conf/etc/rc.conf
+++ b/tools/conf/etc/rc.conf
@@ -5,8 +5,8 @@
 FONT=default
 KEYMAP=dvorak
 TIMEZONE="Europe/Lisbon"
-HOSTNAME=machine
-SYSLOG=sysklogd
-SERVICES=(lo iptables wlan blan crond)
+HOSTNAME=c2
+SYSLOG=syslog-ng
+SERVICES=(apparmor lo net iptables sshd ntpd postgresql exim dovecot git-daemon php-fpm fcgiwrap nginx crond)
 
 # End of file
diff --git a/tools/conf/etc/ssh/sshd_config b/tools/conf/etc/ssh/sshd_config
index 6fd955a..495d183 100644
--- a/tools/conf/etc/ssh/sshd_config
+++ b/tools/conf/etc/ssh/sshd_config
@@ -1,4 +1,4 @@
-#	$OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $
+#	$OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
 
 # This is the sshd server system-wide configuration file.  See
 # sshd_config(5) for more information.
@@ -16,12 +16,7 @@ AddressFamily inet
 #ListenAddress 0.0.0.0
 #ListenAddress ::
 
-
-# The default requires explicit activation of protocol 1
-Protocol 2
-
 #HostKey /etc/ssh/ssh_host_rsa_key
-#HostKey /etc/ssh/ssh_host_dsa_key
 #HostKey /etc/ssh/ssh_host_ecdsa_key
 #HostKey /etc/ssh/ssh_host_ed25519_key
 
@@ -29,8 +24,8 @@ Protocol 2
 #RekeyLimit default none
 
 # Logging
-#SyslogFacility AUTH
-#LogLevel INFO
+SyslogFacility AUTH
+LogLevel INFO
 
 # Authentication:
 
@@ -40,10 +35,11 @@ PermitRootLogin no
 #StrictModes yes
 MaxAuthTries 3
 #MaxSessions 10
-MaxSessions 3
 
 PubkeyAuthentication yes
 
+AllowGroups admin users gitolite sshproxy
+
 # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
 # but this is overridden so installations will only check .ssh/authorized_keys
 AuthorizedKeysFile	.ssh/authorized_keys
@@ -90,7 +86,6 @@ ChallengeResponseAuthentication no
 # PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
 #UsePAM no
-#UsePAM no
 
 #AllowAgentForwarding yes
 #AllowTcpForwarding yes
@@ -102,8 +97,6 @@ ChallengeResponseAuthentication no
 #PrintMotd yes
 #PrintLastLog yes
 #TCPKeepAlive yes
-#UseLogin no
-#UsePrivilegeSeparation sandbox
 #PermitUserEnvironment no
 #Compression delayed
 #ClientAliveInterval 0
@@ -116,11 +109,25 @@ ChallengeResponseAuthentication no
 #VersionAddendum none
 
 # no default banner path
-Banner /etc/issue
+#Banner none
 
 # override default of no subsystems
 Subsystem	sftp	/usr/lib/ssh/sftp-server
 
+Match Group gitolite
+    AllowAgentForwarding no
+    AllowTcpForwarding no
+
+Match Group sshproxy
+    AllowAgentForwarding no
+    PermitTTY no
+    PermitOpen 10.0.0.4:443
+    PermitOpen 10.0.0.4:9418
+    PermitOpen tribu.semdestino.org:443
+    PermitOpen tribu.semdestino.org:9418
+    ForceCommand echo 'This account can only be used for web proxy'
+
+
 # Example of overriding settings on a per-user basis
 #Match User anoncvs
 #	X11Forwarding no
diff --git a/tools/conf/etc/syslog-ng.conf b/tools/conf/etc/syslog-ng.conf
index 16c1ddb..b6aa817 100644
--- a/tools/conf/etc/syslog-ng.conf
+++ b/tools/conf/etc/syslog-ng.conf
@@ -1,127 +1,223 @@
-@version: 3.17
+@version: 3.25
+@include "scl.conf"
+
+# Syslog-ng configuration file, compatible with default Debian syslogd
+# installation.
+
+# First, set some global options.
+options { chain_hostnames(off); flush_lines(0); use_dns(no); use_fqdn(no);
+	  owner("root"); group("adm"); perm(0640); stats_freq(0);
+	  bad_hostname("^gconfd$");
+};
+
+########################
+# Sources
+########################
+# This is the default behavior of sysklogd package
+# Logs may come from unix stream, but not from another machine.
 #
-# /etc/syslog-ng: syslog-ng(8) configration file
-# based on a gentoo template added custom changes for crux
+source s_src {
+       system();
+       internal();
+};
 
-# on busy systems you may have to adjus flush_lines and suppress() to avoid
-# heavy disc i/o
-# to change default permissions/owner/group for newly created files add 
-# options like this: owner(root); group(sys); perm(0644);
-
-options { chain_hostnames(off); flush_lines(0); stats_freq(0); create_dirs(on); };
-
-#source where to read log
-source src { unix-stream("/dev/log"); internal(); };
-source kernsrc { file("/proc/kmsg"); };
-
-#define templates
-template t_debug { template("$DATE fac $FACILITY lvl $LEVEL prg $PROGRAM: $MSG\n"); };
-
-#define destinations
-destination authlog { file("/var/log/auth" suppress(5)); };
-destination sudo { file("/var/log/sudo" suppress(5)); };
-destination cron { file("/var/log/cron" suppress(5)); };
-destination kern { file("/var/log/kernel" suppress(5)); };
-destination mail { file("/var/log/mail" suppress(5)); };
-
-destination mailinfo { file("/var/log/mail.info" suppress(5)); };
-destination mailwarn { file("/var/log/mail.warn" suppress(5)); };
-destination mailerr { file("/var/log/mail.err" suppress(5)); };
+# If you wish to get logs from remote machine you should uncomment
+# this and comment the above source line.
+#
+#source s_net { tcp(ip(127.0.0.1) port(1000)); };
 
-#destination newscrit { file("/var/log/news/news.crit" suppress(5)); };
-#destination newserr { file("/var/log/news/news.err" suppress(5)); };
-#destination newsnotice { file("/var/log/news/news.notice" suppress(5)); };
+########################
+# Destinations
+########################
+# First some standard logfile
+#
+destination d_auth { file("/var/log/auth"); };
+destination d_sudo { file("/var/log/sudo" ); };
+destination d_cron { file("/var/log/cron"); };
+destination d_daemon { file("/var/log/daemon"); };
+destination d_kern { file("/var/log/kernel"); };
+destination d_lpr { file("/var/log/lpr"); };
+destination d_mail { file("/var/log/mail"); };
+destination d_syslog { file("/var/log/syslog-ng"); };
+destination d_user { file("/var/log/user"); };
+destination d_uucp { file("/var/log/uucp"); };
+
+# This files are the log come from the mail subsystem.
+#
+destination d_mailinfo { file("/var/log/mail.info"); };
+destination d_mailwarn { file("/var/log/mail.warn"); };
+destination d_mailerr { file("/var/log/mail.err"); };
 
-destination debug { file("/var/log/debug" template(t_debug) suppress(5)); };
-destination messages { file("/var/log/messages" suppress(5)); };
-destination errors { file("/var/log/error" suppress(5)); };
-destination console { usertty("root"); };
-destination console_all { file("/dev/tty12" suppress(5)); };
-destination xconsole { pipe("/dev/xconsole" suppress(5)); };
+# Logging for INN news system
+#
+destination d_newscrit { file("/var/log/news/news.crit"); };
+destination d_newserr { file("/var/log/news/news.err"); };
+destination d_newsnotice { file("/var/log/news/news.notice"); };
 
-#############################################
-# custom destinations
+# Some 'catch-all' logfiles.
 #
+destination d_debug { file("/var/log/debug"); };
+destination d_error { file("/var/log/error"); };
+destination d_messages { file("/var/log/messages"); };
 
-destination d_shorewall_warn { file ("/var/log/shorewall/warn.log"); };
-destination d_shorewall_info { file ("/var/log/shorewall/info.log"); };
+# Custom destinations
+destination d_shorewall_warn { file ("/var/log/shorewall/warn"); };
+destination d_shorewall_info { file ("/var/log/shorewall/info"); };
 destination d_dnsmasq	{ file("/var/log/dnsmasq"); };
 destination d_postgres  { file("/var/log/pgsql"); };
+destination d_mysql  { file("/var/log/pgsql"); };
 destination d_iptables  { file("/var/log/iptables"); };
 destination d_sshd      { file("/var/log/sshd"); };
 destination d_gitolite  { file("/var/log/gitolite"); };
-destination d_nginx_access { file("/var/log/nginx/access.log" owner(root) group(www) perm(0644));  };
-destination d_nginx_error  { file("/var/log/nginx/error.log"); };
+destination d_git-daemon  { file("/var/log/git-daemon"); };
+destination d_nginx_access { file("/var/log/nginx_access"); };
+destination d_nginx_error  { file("/var/log/nginx_error"); };
+destination d_php_fpm { file("/var/log/php-fpm"); };
+destination d_php { file("/var/log/php"); };
+destination d_nginx_vhost { file("/var/log/nginx/vhost_access"); };
+destination d_nginx_vhost_err { file("/var/log/nginx/vhost_error"); };
+
+# The root's console.
+#
+destination d_console { usertty("root"); };
+
+# Virtual console.
+#
+#destination d_console_all { file(`tty10`); };
+destination console { usertty("root"); };
+destination d_console_all { file("/dev/tty12" suppress(5)); };
+destination xconsole { pipe("/dev/xconsole" suppress(5)); };
+
+
+
+# The named pipe /dev/xconsole is for the nsole' utility.  To use it,
+# you must invoke nsole' with the -file' option:
+#
+#    $ xconsole -file /dev/xconsole [...]
+#
+destination d_xconsole { pipe("/dev/xconsole"); };
 
+# Send the messages to an other host
+#
+#destination d_net { tcp("127.0.0.1" port(1000) log_fifo_size(1000)); };
 
-#create filters
-filter f_authpriv { facility(auth, authpriv); };
-filter f_cron { facility(cron); };
-filter f_kern { facility(kern); };
-filter f_mail { facility(mail); };
-#filter f_debug { not facility(auth, authpriv, mail) and not program(sudo); }; 
-filter f_debug { not facility(mail) and not program(sudo); }; 
-filter f_messages { level(info..warn)
-        and not facility(auth, authpriv, mail) and not program(sudo); };
-filter f_sudo { program(sudo); };
-filter f_errors { level(err..emerg); };
+# Debian only
+destination d_ppp { file("/var/log/ppp"); };
 
-filter f_emergency { level(emerg); };
+########################
+# Filters
+########################
+# Here's come the filter options. With this rules, we can set which 
+# message go where.
 
+filter f_dbg { level(debug); };
 filter f_info { level(info); };
 filter f_notice { level(notice); };
 filter f_warn { level(warn); };
-filter f_crit { level(crit); };
 filter f_err { level(err); };
+filter f_crit { level(crit .. emerg); };
+
+filter f_debug { level(debug) and not facility(auth, authpriv, news, mail); };
+filter f_error { level(err .. emerg) ; };
+filter f_messages { level(info,notice,warn)
+                    and not facility(auth,authpriv,cron,daemon,mail,news,local0); };
+
+filter f_auth { facility(auth, authpriv) and not filter(f_debug); };
+filter f_sudo { facility(auth, authpriv) and program("^sudo$"); };
+filter f_cron { facility(cron) and not filter(f_debug);};
+filter f_daemon { facility(daemon, local0)
+        and not filter(f_debug)
+        and not program("^php$")
+        and not program("^nginx_vhost$")
+        and not program("^nginx_vhost_err$");};
+filter f_kern { facility(kern) and not filter(f_debug); };
+filter f_lpr { facility(lpr) and not filter(f_debug); };
+filter f_local { facility(local0, local1, local3, local4, local5,
+                        local6, local7) and not filter(f_debug); };
+filter f_mail { facility(mail) and not filter(f_debug); };
+filter f_news { facility(news) and not filter(f_debug); };
+filter f_syslog3 { program("^syslog-ng$");};
+filter f_user { facility(user) and not filter(f_debug); };
+filter f_uucp { facility(uucp) and not filter(f_debug); };
+
+filter f_cnews { level(notice, err, crit) and facility(news); };
+filter f_cother { level(debug, info, notice, warn) or facility(daemon, mail); };
+
+filter f_ppp { facility(local2) and not filter(f_debug); };
+filter f_console { level(warn .. emerg); };
 
-#############################################
 # custom filters
-#
-filter f_dnsmasq { program("dnsmasq"); };
-filter f_postgres { facility(local0); };
-filter f_sshd { facility(local1); };
+
+filter f_dnsmasq { program("^dnsmasq$"); };
+filter f_postgres { facility(local0) and program("^postgresql$"); };
+filter f_sshd { facility(auth) and program("^sshd$"); };
 
 filter f_iptables { facility(kern) and match("iptables" value("MESSAGE")) };
 filter f_shorewall_warn { level (warn) and match ("Shorewall" value("MESSAGE")); };
 filter f_shorewall_info {level (info) and match ("Shorewall" value("MESSAGE")); };
-filter f_gitolite { program("gitolite"); };
-filter f_nginx_access { match("nginx_access:" value("MESSAGE")); };
-filter f_nginx_error { match("nginx_error:" value("MESSAGE")); };
-
-# examples for text-matching (beware of performance issues)
-#filter f_failed { match("failed"); };
-#filter f_denied { match("denied"); };
-
-#connect filter and destination
-log { source(src); filter(f_authpriv); destination(authlog); };
-log { source(src); filter(f_sudo); destination(sudo); };
-log { source(src); filter(f_cron); destination(cron); };
-log { source(kernsrc); filter(f_kern); destination(kern); };
-log { source(src); filter(f_mail); destination(mail); };
-log { source(src); filter(f_mail); filter(f_info); destination(mailinfo); };
-log { source(src); filter(f_mail); filter(f_warn); destination(mailwarn); };
-log { source(src); filter(f_mail); filter(f_err); destination(mailerr); };
-
-#log { source(src); filter(f_debug); destination(debug); };
-log { source(src); filter(f_messages); destination(messages); };
-log { source(src); filter(f_errors); destination(errors); };
-log { source(src); filter(f_emergency); destination(console); };
-
-#default log
-#log { source(src); destination(console_all); };
-
-#############################################
-# custom 
-#
-
-log { source (kernsrc); filter (f_iptables); destination (d_iptables);};
-log { source (kernsrc); filter (f_shorewall_warn); destination (d_shorewall_warn);};
-log { source (kernsrc); filter (f_shorewall_info); destination (d_shorewall_info);};
-log { source(src); filter(f_dnsmasq); destination(d_dnsmasq);};
-log { source(src); filter(f_postgres); destination(d_postgres);};
-log { source(src); filter(f_sshd); destination(d_sshd);};
-log { source(src); filter(f_gitolite); destination(d_gitolite);};
-log { source(src); filter(f_nginx_error); destination(d_nginx_error);};
-log { source(src); filter(f_nginx_access); destination(d_nginx_access);};
+filter f_gitolite { program("^gitolite$"); };
+filter f_git-daemon { program("^git-daemon$"); };
+filter f_nginx_error { facility(daemon) and program("^nginx$"); };
+filter f_nginx_vhost { facility(daemon) and program("^nginx_vhost$");};
+filter f_nginx_vhost_err { facility(daemon) and program("^nginx_vhost_err$");};
+filter f_php_fpm { facility(daemon) and program("^php-fpm$");};
+filter f_php { facility(daemon) and program("^php$");};
+
+# custom logs
+log { source(s_src); filter(f_php_fpm); destination(d_php_fpm); };
+log { source(s_src); filter(f_php); destination(d_php); };
+log { source(s_src); filter(f_nginx_vhost); destination(d_nginx_vhost); };
+log { source(s_src); filter(f_nginx_vhost_err); destination(d_nginx_vhost_err); };
+log { source(s_src); filter(f_sshd); destination(d_sshd);};
+log { source (s_src); filter (f_iptables); destination (d_iptables);};
+log { source (s_src); filter (f_shorewall_warn); destination (d_shorewall_warn);};
+log { source (s_src); filter (f_shorewall_info); destination (d_shorewall_info);};
+log { source(s_src); filter(f_dnsmasq); destination(d_dnsmasq);};
+log { source(s_src); filter(f_postgres); destination(d_postgres);};
+log { source(s_src); filter(f_gitolite); destination(d_gitolite);};
+log { source(s_src); filter(f_git-daemon); destination(d_git-daemon);};
+log { source(s_src); filter(f_nginx_error); destination(d_nginx_error);};
+
+########################
+# Log paths
+########################
+log { source(s_src); filter(f_auth); destination(d_auth); };
+log { source(s_src); filter(f_sudo); destination(d_sudo); };
+log { source(s_src); filter(f_cron); destination(d_cron); };
+log { source(s_src); filter(f_daemon); destination(d_daemon); };
+log { source(s_src); filter(f_kern); destination(d_kern); };
+log { source(s_src); filter(f_lpr); destination(d_lpr); };
+log { source(s_src); filter(f_user); destination(d_user); };
+log { source(s_src); filter(f_uucp); destination(d_uucp); };
+
+log { source(s_src); filter(f_mail); destination(d_mail); };
+log { source(s_src); filter(f_mail); filter(f_info); destination(d_mailinfo); };
+log { source(s_src); filter(f_mail); filter(f_warn); destination(d_mailwarn); };
+log { source(s_src); filter(f_mail); filter(f_err); destination(d_mailerr); };
+
+log { source(s_src); filter(f_news); filter(f_crit); destination(d_newscrit); };
+log { source(s_src); filter(f_news); filter(f_err); destination(d_newserr); };
+log { source(s_src); filter(f_news); filter(f_notice); destination(d_newsnotice); };
+#log { source(s_src); filter(f_cnews); destination(d_console_all); };
+#log { source(s_src); filter(f_cother); destination(d_console_all); };
+
+#log { source(s_src); filter(f_ppp); destination(d_ppp); };
+
+log { source(s_src); filter(f_debug); destination(d_debug); };
+log { source(s_src); filter(f_error); destination(d_error); };
+log { source(s_src); filter(f_messages); destination(d_messages); };
+log { source(s_src); filter(f_syslog3); destination(d_syslog); };
+log { source(s_src); filter(f_console); destination(d_console_all);
+				    destination(d_xconsole); };
+log { source(s_src); filter(f_crit); destination(d_console); };
 
+#
+# 
+# All messages send to a remote site
+#
+#log { source(s_src); destination(d_net); };
 
+###
+# Include all config files in /etc/syslog-ng/conf.d/
+###
+@include "/etc/syslog-ng/conf.d/*.conf"
diff --git a/tools/conf/srv/gitolite/.gitolite.rc b/tools/conf/srv/gitolite/.gitolite.rc
index fa18e4e..d2c80b7 100644
--- a/tools/conf/srv/gitolite/.gitolite.rc
+++ b/tools/conf/srv/gitolite/.gitolite.rc
@@ -28,7 +28,7 @@
     # logging options
     # 1. leave this section as is for 'normal' gitolite logging (default)
     # 2. uncomment this line to log ONLY to syslog:
-    # LOG_DEST                      => 'syslog',
+    LOG_DEST                      => 'syslog',
     # 3. uncomment this line to log to syslog and the normal gitolite log:
     # LOG_DEST                      => 'syslog,normal',
     # 4. prefixing "repo-log," to any of the above will **also** log just the
diff --git a/tools/conf/srv/gitolite/deploy-web-doc b/tools/conf/srv/gitolite/deploy-web-doc
index ae8e2db..b836515 100755
--- a/tools/conf/srv/gitolite/deploy-web-doc
+++ b/tools/conf/srv/gitolite/deploy-web-doc
@@ -2,7 +2,7 @@
 ######################################################################
 #
 # Put this file in your gitolite-admin;
-# ~/gitolite-admin/local/hooks/repo-specific/deploy-web-doc
+# ~/gitolite-admin/local/hooks/repo-specific/hook-deploy-web
 #
 # set host to empty to create package for each push
 # or set remote host to create package based on last deployed push
diff --git a/tools/conf/srv/gitolite/deploy-web.sh b/tools/conf/srv/gitolite/deploy-web.sh
index 01e92ac..86d2026 100644
--- a/tools/conf/srv/gitolite/deploy-web.sh
+++ b/tools/conf/srv/gitolite/deploy-web.sh
@@ -3,7 +3,7 @@
 pkg_path=$1
 
 www_root="/srv/www"
-www_user="nginx"
+www_user="www"
 www_group="www"
 
 pkg_file="${pkg_path}/project"
diff --git a/tools/conf/srv/gitolite/gitolite.conf b/tools/conf/srv/gitolite/gitolite.conf
index 3de7ba5..2685d90 100644
--- a/tools/conf/srv/gitolite/gitolite.conf
+++ b/tools/conf/srv/gitolite/gitolite.conf
@@ -1,80 +1,73 @@
-@guests         =   gitweb
-@interns        =   silvino
-@dev            =   silvino
-@teamleads      =   silvino
-@staff          =   @interns @dev @teamleads
+@guests         =   bob
+@interns        =   bob
+@dev            =   bob alice
+@teamleads      =   druid bob
+@staff          =   @interns @dev
+
 
 repo  @secret
     - = @guests
     option deny-rules = 1
 
 repo @floss
-    RW+                     =   @dev @staff
+    RW+                     =   @staff
     R                       =   @all
 
 repo @project
     RW+                     =   @teamleads
-    -   master              =   @dev
-    -   refs/tags/v[0-9]    =   @dev
-    RW+ develop/            =   @dev
-    RW+ feature/            =   @dev
-    RW+ hot-fix/            =   @dev
-    RW                      =   @dev
-    R                       =   @interns
+    -   master              =   @staff @guests
+    -   refs/tags/          =   @staff @guests
+    RW+ develop/            =   @staff
+    RW+ feature/            =   @staff
+    RW+ hot-fix/            =   @staff
+    RW                      =   @staff
+    R                       =   @all
 
 repo @mirror
+    R                       =   @all
     RW+ release/            =   @teamleads
     RW+ develop/            =   @dev
     RW+ feature/            =   @dev
     RW+ hot-fix/            =   @dev
-    R                       =   @all
+    option upstream.nice    = 120
 
 repo gitolite-admin
     RW+     =   gitolite
 
-repo doc machine-ports pmwiki assistant
-    config gitweb.owner         =   "Tribu Team"
-    config gitweb.category      =   "machine"
-
-repo linux-pck
-    config gitweb.owner         =   "Tribu Team"
-    config gitweb.category      =   "mirrors"
+repo mate
+    config gitweb.description   = "Mate ports"
 
-repo opt core contrib
-    config gitweb.owner         =   "crux"
-    config gitweb.category      =   "crux"
+repo kde5
+    config gitweb.description   = "Kde5 ports"
 
-repo doc
-    config gitweb.description   =   "documentation"
-    option hook.post-receive     =  deploy-web-doc
-
-repo machine-ports
-    config gitweb.description   =   "ports"
+repo xorg
+    config gitweb.description   = "Xorg ports"
 
-repo pmwiki
-    config gitweb.description   =   "wiki"
-    option hook.post-receive     =  deploy-web-doc
+repo contrib
+    config gitweb.description   = "Contrib ports"
 
-repo assistant
-    config gitweb.owner         =   "Tribu Team"
-    config gitweb.description   =   "open assistant"
+repo opt
+    config gitweb.description   = "Opt ports"
 
 repo core
-    config gitweb.description   =   "crux core collection"
+    config gitweb.description   = "Core ports"
 
-repo opt
-    config gitweb.description   =   "crux opt collection"
+repo doc
+    config gitweb.description   = "System doc."
+    option hook.post-receive    = deploy-web-doc
 
-repo contrib
-    config gitweb.description   =   "crux contrib collection"
+repo ports
+    config gitweb.description   = "Extra ports."
+    option hook.post-receive    = deploy-web-doc
 
-repo linux-pck
-    config gitweb.description   =   "PCK or Parabola Community Kernel are multiple patches, pf-kernel and zen-kernel for Linux-libre kernel"
-    option      upstream.url    = git://git.parabola.nu/pck.git
-    option      upstream.nice   = 120
+repo doc
+    config gitweb.owner         =   "Team"
+    config gitweb.category      =   "Repositories"
 
+repo core opt contrib ports xorg iso mate kde5
+    config gitweb.owner         =   "Team"
+    config gitweb.category      =   "Host Ports"
 
-@secret    =   gitolite-admin
-@project   =   doc machine-ports pmwiki assistant
-@project   =   core opt contrib
-@mirror    =   linux-pck
+@secret    = gitolite-admin
+@project   = doc
+@project   = core opt contrib ports xorg iso mate kde5 webdata
diff --git a/tools/conf/srv/pgsql/data/pg_hba.conf b/tools/conf/srv/pgsql/data/pg_hba.conf
index af37ab4..f60af44 100644
--- a/tools/conf/srv/pgsql/data/pg_hba.conf
+++ b/tools/conf/srv/pgsql/data/pg_hba.conf
@@ -81,20 +81,14 @@
 # TYPE  DATABASE        USER            ADDRESS                 METHOD
 
 # "local" is for Unix domain socket connections only
-#local   all             all                                     trust
+local   all             postgres                                scram-sha-256
+#local   all             postgres                                trust
 # IPv4 local connections:
-#host    all             all             127.0.0.1/32            trust
+host    all             postgres        127.0.0.1/32            scram-sha-256
 # IPv6 local connections:
-#host    all             all             ::1/128                 trust
+host    all             postgres        ::1/128                 scram-sha-256
 # Allow replication connections from localhost, by a user with the
 # replication privilege.
-#local   replication     all                                     trust
-#host    replication     all             127.0.0.1/32            trust
-#host    replication     all             ::1/128                 trust
-
-# TYPE  DATABASE    USER     ADDRESS       METHOD
-local   postgres    postgres               trust
-host    postgres    postgres 127.0.0.1/32  trust
-host    db_flyspray flyspray 127.0.0.1/32  md5
-host    all         all      127.0.0.1/32  scram-sha-256
-host    all         all      0.0.0.0/0     reject
+local   replication     postgres                                 scram-sha-256
+host    replication     postgres         127.0.0.1/32            scram-sha-256
+host    replication     postgres         ::1/128                 scram-sha-256
diff --git a/tools/conf/srv/pgsql/data/postgresql.conf b/tools/conf/srv/pgsql/data/postgresql.conf
index e25ab49..4497df9 100644
--- a/tools/conf/srv/pgsql/data/postgresql.conf
+++ b/tools/conf/srv/pgsql/data/postgresql.conf
@@ -73,7 +73,7 @@ max_connections = 100			# (change requires restart)
 #bonjour_name = ''			# defaults to the computer name
 					# (change requires restart)
 
-# - TCP Keepalives -
+# - TCP settings -
 # see "man 7 tcp" for details
 
 #tcp_keepalives_idle = 0		# TCP_KEEPIDLE, in seconds;
@@ -82,12 +82,14 @@ max_connections = 100			# (change requires restart)
 					# 0 selects the system default
 #tcp_keepalives_count = 0		# TCP_KEEPCNT;
 					# 0 selects the system default
+#tcp_user_timeout = 0			# TCP_USER_TIMEOUT, in milliseconds;
+					# 0 selects the system default
 
 # - Authentication -
 
 #authentication_timeout = 1min		# 1s-600s
 #password_encryption = md5		# md5 or scram-sha-256
-password_encryption = scram-sha-256	# md5 or scram-sha-256
+password_encryption = scram-sha-256     # md5 or scram-sha-256
 #db_user_namespace = off
 
 # GSSAPI using Kerberos
@@ -107,6 +109,8 @@ ssl_key_file = '/etc/ssl/keys/pg.key'
 #ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
 #ssl_prefer_server_ciphers = on
 #ssl_ecdh_curve = 'prime256v1'
+#ssl_min_protocol_version = 'TLSv1'
+#ssl_max_protocol_version = ''
 #ssl_dh_params_file = ''
 #ssl_passphrase_command = ''
 #ssl_passphrase_command_supports_reload = off
@@ -131,13 +135,18 @@ shared_buffers = 128MB			# min 128kB
 #maintenance_work_mem = 64MB		# min 1MB
 #autovacuum_work_mem = -1		# min 1MB, or -1 to use maintenance_work_mem
 #max_stack_depth = 2MB			# min 100kB
+#shared_memory_type = mmap		# the default is the first option
+					# supported by the operating system:
+					#   mmap
+					#   sysv
+					#   windows
+					# (change requires restart)
 dynamic_shared_memory_type = posix	# the default is the first option
 					# supported by the operating system:
 					#   posix
 					#   sysv
 					#   windows
 					#   mmap
-					# use none to disable dynamic shared memory
 					# (change requires restart)
 
 # - Disk -
@@ -152,7 +161,7 @@ dynamic_shared_memory_type = posix	# the default is the first option
 
 # - Cost-Based Vacuum Delay -
 
-#vacuum_cost_delay = 0			# 0-100 milliseconds
+#vacuum_cost_delay = 0			# 0-100 milliseconds (0 disables)
 #vacuum_cost_page_hit = 1		# 0-10000 credits
 #vacuum_cost_page_miss = 10		# 0-10000 credits
 #vacuum_cost_page_dirty = 20		# 0-10000 credits
@@ -203,6 +212,8 @@ dynamic_shared_memory_type = posix	# the default is the first option
 #wal_compression = off			# enable compression of full-page writes
 #wal_log_hints = off			# also do full page writes of non-critical updates
 					# (change requires restart)
+#wal_init_zero = on			# zero-fill new WAL files
+#wal_recycle = on			# recycle WAL files
 #wal_buffers = -1			# min 32kB, -1 sets based on shared_buffers
 					# (change requires restart)
 #wal_writer_delay = 200ms		# 1-10000 milliseconds
@@ -231,6 +242,42 @@ min_wal_size = 80MB
 #archive_timeout = 0		# force a logfile segment switch after this
 				# number of seconds; 0 disables
 
+# - Archive Recovery -
+
+# These are only used in recovery mode.
+
+#restore_command = ''		# command to use to restore an archived logfile segment
+				# placeholders: %p = path of file to restore
+				#               %f = file name only
+				# e.g. 'cp /mnt/server/archivedir/%f %p'
+				# (change requires restart)
+#archive_cleanup_command = ''	# command to execute at every restartpoint
+#recovery_end_command = ''	# command to execute at completion of recovery
+
+# - Recovery Target -
+
+# Set these only when performing a targeted recovery.
+
+#recovery_target = ''		# 'immediate' to end recovery as soon as a
+                                # consistent state is reached
+				# (change requires restart)
+#recovery_target_name = ''	# the named restore point to which recovery will proceed
+				# (change requires restart)
+#recovery_target_time = ''	# the time stamp up to which recovery will proceed
+				# (change requires restart)
+#recovery_target_xid = ''	# the transaction ID up to which recovery will proceed
+				# (change requires restart)
+#recovery_target_lsn = ''	# the WAL LSN up to which recovery will proceed
+				# (change requires restart)
+#recovery_target_inclusive = on # Specifies whether to stop:
+				# just after the specified recovery target (on)
+				# just before the recovery target (off)
+				# (change requires restart)
+#recovery_target_timeline = 'latest'	# 'current', 'latest', or timeline ID
+				# (change requires restart)
+#recovery_target_action = 'pause'	# 'pause', 'promote', 'shutdown'
+				# (change requires restart)
+
 
 #------------------------------------------------------------------------------
 # REPLICATION
@@ -264,6 +311,11 @@ min_wal_size = 80MB
 
 # These settings are ignored on a master server.
 
+#primary_conninfo = ''			# connection string to sending server
+					# (change requires restart)
+#primary_slot_name = ''			# replication slot on sending server
+					# (change requires restart)
+#promote_trigger_file = ''		# file name whose presence ends recovery
 #hot_standby = on			# "off" disallows queries during recovery
 					# (change requires restart)
 #max_standby_archive_delay = 30s	# max delay before canceling queries
@@ -281,6 +333,7 @@ min_wal_size = 80MB
 					# in milliseconds; 0 disables
 #wal_retrieve_retry_interval = 5s	# time to wait before retrying to
 					# retrieve WAL after a failed attempt
+#recovery_min_apply_delay = 0		# minimum delay for applying changes during recovery
 
 # - Subscribers -
 
@@ -356,7 +409,10 @@ min_wal_size = 80MB
 #join_collapse_limit = 8		# 1 disables collapsing of explicit
 					# JOIN clauses
 #force_parallel_mode = off
-#jit = off				# allow JIT compilation
+#jit = on				# allow JIT compilation
+jit = off				# allow JIT compilation
+#plan_cache_mode = auto			# auto, force_generic_plan or
+					# force_custom_plan
 
 
 #------------------------------------------------------------------------------
@@ -365,9 +421,8 @@ min_wal_size = 80MB
 
 # - Where to Log -
 
-#log_destination = 'stderr'		# Valid values are combinations of
-#log_destination = 'stderr,syslog'      # Multiple are valide
-log_destination = 'syslog'
+#log_destination = 'stderr'
+#log_destination = 'syslog'		# Valid values are combinations of
 					# stderr, csvlog, syslog, and eventlog,
 					# depending on platform.  csvlog
 					# requires logging_collector to be on.
@@ -400,7 +455,6 @@ log_destination = 'syslog'
 					# 0 disables.
 
 # These are relevant when logging to syslog:
-#syslog_facility = 'LOCAL0'
 syslog_facility = 'LOCAL0'
 syslog_ident = 'postgres'
 #syslog_sequence_numbers = on
@@ -412,17 +466,6 @@ syslog_ident = 'postgres'
 
 # - When to Log -
 
-#client_min_messages = notice		# values in order of decreasing detail:
-					#   debug5
-					#   debug4
-					#   debug3
-					#   debug2
-					#   debug1
-					#   log
-					#   notice
-					#   warning
-					#   error
-
 #log_min_messages = warning		# values in order of decreasing detail:
 					#   debug5
 					#   debug4
@@ -456,6 +499,9 @@ syslog_ident = 'postgres'
 					# statements running at least this number
 					# of milliseconds
 
+#log_transaction_sample_rate = 0.0	# Fraction of transactions whose statements
+					# are logged regardless of their duration. 1.0 logs all
+					# statements from all transactions, 0.0 never logs.
 
 # - What to Log -
 
@@ -464,12 +510,15 @@ syslog_ident = 'postgres'
 #debug_print_plan = off
 #debug_pretty_print = on
 #log_checkpoints = off
+#log_connections = off
 log_connections = on
+#log_disconnections = off
 log_disconnections = on
-log_duration = on
+#log_duration = off
 #log_error_verbosity = default		# terse, default, or verbose messages
+#log_hostname = off
 log_hostname = on
-#log_line_prefix = '%m [%p] '		# special values:
+log_line_prefix = 'd=$d u=% %m [%p] '	# special values:
 					#   %a = application name
 					#   %u = user name
 					#   %d = database name
@@ -492,11 +541,12 @@ log_hostname = on
 					# e.g. '<%u%%%d> '
 #log_lock_waits = off			# log lock waits >= deadlock_timeout
 #log_statement = 'none'			# none, ddl, mod, all
+log_statement = 'mod'			# none, ddl, mod, all
 #log_replication_commands = off
 #log_temp_files = -1			# log temporary files equal or larger
 					# than the specified size in kilobytes;
 					# -1 disables, 0 logs all temp files
-log_timezone = 'Portugal'
+log_timezone = 'Europe/Lisbon'
 
 #------------------------------------------------------------------------------
 # PROCESS TITLE
@@ -553,7 +603,7 @@ log_timezone = 'Portugal'
 #autovacuum_multixact_freeze_max_age = 400000000	# maximum multixact age
 					# before forced vacuum
 					# (change requires restart)
-#autovacuum_vacuum_cost_delay = 20ms	# default vacuum cost delay for
+#autovacuum_vacuum_cost_delay = 2ms	# default vacuum cost delay for
 					# autovacuum, in milliseconds;
 					# -1 means use vacuum_cost_delay
 #autovacuum_vacuum_cost_limit = -1	# default vacuum cost limit for
@@ -567,11 +617,22 @@ log_timezone = 'Portugal'
 
 # - Statement Behavior -
 
+#client_min_messages = notice		# values in order of decreasing detail:
+					#   debug5
+					#   debug4
+					#   debug3
+					#   debug2
+					#   debug1
+					#   log
+					#   notice
+					#   warning
+					#   error
 #search_path = '"$user", public'	# schema names
 #row_security = on
 #default_tablespace = ''		# a tablespace name, '' uses the default
 #temp_tablespaces = ''			# a list of tablespace names, '' uses
 					# only default tablespace
+#default_table_access_method = 'heap'
 #check_function_bodies = on
 #default_transaction_isolation = 'read committed'
 #default_transaction_read_only = off
@@ -597,7 +658,7 @@ log_timezone = 'Portugal'
 
 datestyle = 'iso, mdy'
 #intervalstyle = 'postgres'
-timezone = 'Portugal'
+timezone = 'Europe/Lisbon'
 #timezone_abbreviations = 'Default'     # Select the set of available time zone
 					# abbreviations.  Currently, there are
 					#   Default
@@ -605,7 +666,8 @@ timezone = 'Portugal'
 					#   India
 					# You can create your own file in
 					# share/timezonesets/.
-#extra_float_digits = 0			# min -15, max 3
+#extra_float_digits = 1			# min -15, max 3; any value >0 actually
+					# selects precise output mode
 #client_encoding = sql_ascii		# actually, defaults to database
 					# encoding
 
@@ -654,7 +716,6 @@ default_text_search_config = 'pg_catalog.english'
 
 #array_nulls = on
 #backslash_quote = safe_encoding	# on, off, or safe_encoding
-#default_with_oids = off
 #escape_string_warning = on
 #lo_compat_privileges = off
 #operator_precedence_warning = off
@@ -673,6 +734,9 @@ default_text_search_config = 'pg_catalog.english'
 
 #exit_on_error = off			# terminate session on any error?
 #restart_after_crash = on		# reinitialize after backend crash?
+#data_sync_retry = off			# retry or panic on failure to fsync
+					# data?
+					# (change requires restart)
 
 
 #------------------------------------------------------------------------------
@@ -680,12 +744,13 @@ default_text_search_config = 'pg_catalog.english'
 #------------------------------------------------------------------------------
 
 # These options allow settings to be loaded from files other than the
-# default postgresql.conf.
+# default postgresql.conf.  Note that these are directives, not variable
+# assignments, so they can usefully be given more than once.
 
-#include_dir = 'conf.d'			# include files ending in '.conf' from
-					# directory 'conf.d'
-#include_if_exists = 'exists.conf'	# include file only if it exists
-#include = 'special.conf'		# include file
+#include_dir = '...'			# include files ending in '.conf' from
+					# a directory, e.g., 'conf.d'
+#include_if_exists = '...'		# include file only if it exists
+#include = '...'			# include file
 
 
 #------------------------------------------------------------------------------