From 2cbbcd2c3fc97a9fad14f305b5156ce7c09d5b9e Mon Sep 17 00:00:00 2001
From: Matt Simerson <matt@tnpi.net>
Date: Tue, 21 Jun 2022 09:34:12 -0700
Subject: [PATCH] add private provision scripts

- beaded: updates
- ns1.cad: add install_sentry
- move tnpi scripts into ./tnpi/
- tnpi: add ns3.art, ns3.cad, wp_sim, sigels
- beaded: enable promotion
- move whmcs to tnpi
- tnpi/*: remove dialog4ports, chmod +x
- tinydns: refactor djb installers into include/djb
- update ns1.theartfarm to use include/djb
---
 provision/dovecot.sh         |   2 +-
 tnpi/beaded-api.sh           |  49 ++++++++
 tnpi/isaac.sh                |  35 ++++++
 tnpi/mike.sh                 |  34 ++++++
 tnpi/ns1.cadillac.net.sh     |  77 +++++++++++++
 tnpi/ns1.theartfarm.com.sh   |  83 ++++++++++++++
 tnpi/ns2.cadillac.net.sh     |  83 ++++++++++++++
 tnpi/ns2.theartfarm.com.sh   |  77 +++++++++++++
 tnpi/ns3.cadillac.net.sh     |  86 ++++++++++++++
 tnpi/ns3.theartfarm.com.sh   | 202 +++++++++++++++++++++++++++++++++
 tnpi/sigels.sh               | 119 ++++++++++++++++++++
 {provision => tnpi}/whmcs.sh |   0
 tnpi/wordpress_simerson.sh   | 209 +++++++++++++++++++++++++++++++++++
 13 files changed, 1055 insertions(+), 1 deletion(-)
 create mode 100755 tnpi/beaded-api.sh
 create mode 100755 tnpi/isaac.sh
 create mode 100755 tnpi/mike.sh
 create mode 100755 tnpi/ns1.cadillac.net.sh
 create mode 100755 tnpi/ns1.theartfarm.com.sh
 create mode 100755 tnpi/ns2.cadillac.net.sh
 create mode 100755 tnpi/ns2.theartfarm.com.sh
 create mode 100755 tnpi/ns3.cadillac.net.sh
 create mode 100755 tnpi/ns3.theartfarm.com.sh
 create mode 100755 tnpi/sigels.sh
 rename {provision => tnpi}/whmcs.sh (100%)
 create mode 100755 tnpi/wordpress_simerson.sh

diff --git a/provision/dovecot.sh b/provision/dovecot.sh
index 0b78916d..e546b90d 100755
--- a/provision/dovecot.sh
+++ b/provision/dovecot.sh
@@ -597,7 +597,7 @@ base_snapshot_exists || exit
 create_staged_fs dovecot
 mkdir -p "$STAGE_MNT/usr/local/vpopmail"
 start_staged_jail dovecot
-allow_sysvipc_stage
+#allow_sysvipc_stage
 install_dovecot
 configure_dovecot
 stage_resolv_conf
diff --git a/tnpi/beaded-api.sh b/tnpi/beaded-api.sh
new file mode 100755
index 00000000..9c95b8d2
--- /dev/null
+++ b/tnpi/beaded-api.sh
@@ -0,0 +1,49 @@
+#!/bin/sh
+
+# shellcheck disable=1091
+. mail-toaster.sh || exit
+
+mt6-include user
+
+install_beaded_api()
+{
+	tell_status "installing beadedstream API"
+	stage_pkg_install npm-node16 git-lite mongodb44 mongodb-tools ssmtp
+	stage_exec bash -c "cd /data/db && npm install"
+	stage_exec bash -c "cd /data/db/api && npm install"
+	stage_exec npm install -g pm2
+}
+
+configure_beaded_api()
+{
+	tell_status "configuring beaded_api"
+
+	preserve_passdb beaded_api
+	preserve_ssh_host_keys beaded_api
+
+	cp /data/beaded_api/rc.d/pm2_beaded "$STAGE_MNT/usr/local/etc/rc.d/"
+	stage_sysrc pm2_beaded_enable="YES"
+	stage_sysrc sshd_enable="YES"
+}
+
+start_beaded_api()
+{
+	tell_status "configuring beaded_api"
+	stage_exec service pm2_beaded start
+}
+
+test_beaded_api()
+{
+	tell_status "testing beaded_api"
+	stage_listening 3000
+	echo "it works"
+}
+
+base_snapshot_exists || exit
+create_staged_fs beaded_api
+start_staged_jail beaded_api
+install_beaded_api
+configure_beaded_api
+start_beaded_api
+test_beaded_api
+promote_staged_jail beaded_api
diff --git a/tnpi/isaac.sh b/tnpi/isaac.sh
new file mode 100755
index 00000000..a9b3c3e6
--- /dev/null
+++ b/tnpi/isaac.sh
@@ -0,0 +1,35 @@
+#!/bin/sh
+
+# shellcheck disable=1091
+. mail-toaster.sh || exit
+
+install_isaac()
+{
+	tell_status "installing Isaac"
+	stage_pkg_install python37
+}
+
+configure_isaac()
+{
+	tell_status "configuring isaac"
+	echo "WARN: manually copy passwd & group files over"
+}
+
+start_isaac()
+{
+	tell_status "configuring isaac"
+}
+
+test_isaac()
+{
+	tell_status "testing isaac"
+}
+
+base_snapshot_exists || exit
+create_staged_fs isaac
+start_staged_jail isaac
+install_isaac
+configure_isaac
+start_isaac
+test_isaac
+promote_staged_jail isaac
diff --git a/tnpi/mike.sh b/tnpi/mike.sh
new file mode 100755
index 00000000..e649fa7a
--- /dev/null
+++ b/tnpi/mike.sh
@@ -0,0 +1,34 @@
+#!/bin/sh
+
+# shellcheck disable=1091
+. mail-toaster.sh || exit
+
+install_mike()
+{
+	tell_status "installing Mike"
+	stage_pkg_install mtr-nox11
+}
+
+configure_mike()
+{
+	tell_status "configuring mike"
+}
+
+start_mike()
+{
+	tell_status "configuring mike"
+}
+
+test_mike()
+{
+	tell_status "testing mike"
+}
+
+base_snapshot_exists || exit
+create_staged_fs mike
+start_staged_jail mike
+install_mike
+configure_mike
+start_mike
+test_mike
+promote_staged_jail mike
diff --git a/tnpi/ns1.cadillac.net.sh b/tnpi/ns1.cadillac.net.sh
new file mode 100755
index 00000000..c8c34d88
--- /dev/null
+++ b/tnpi/ns1.cadillac.net.sh
@@ -0,0 +1,77 @@
+#!/bin/sh
+
+# shellcheck disable=1091
+. mail-toaster.sh || exit
+
+export JAIL_START_EXTRA=""
+export JAIL_CONF_EXTRA=""
+
+mt6-include user
+
+install_knot()
+{
+	tell_status "installing Knot DNS 3"
+	stage_pkg_install knot3 rsync || exit
+
+	if [ ! -d "$STAGE_MNT/data/home" ]; then
+		mkdir -p "$STAGE_MNT/data/home" || exit
+	fi
+
+	install_nrpe
+	install_sentry
+}
+
+
+install_nrpe()
+{
+	if [ -z "$TOASTER_NRPE" ]; then
+		echo "TOASTER_NRPE unset, skipping nrpe plugin"
+		return
+	fi
+
+	tell_status "installing nrpe plugin"
+	stage_pkg_install nrpe3
+	stage_sysrc nrpe3_enable=YES
+	stage_sysrc nrpe3_configfile="/data/etc/nrpe.cfg"
+}
+
+configure_knot()
+{
+	stage_sysrc sshd_enable=YES
+	stage_sysrc knot_enable=YES
+	stage_sysrc knot_config=/data/etc/knot.conf
+
+	preserve_passdb ns1.cadillac.net
+	stage_exec pw user mod knot -d /data/home/knot -s /bin/sh
+	stage_exec pw user mod root -d /data/home/root -s /usr/local/bin/bash
+}
+
+start_knot()
+{
+	tell_status "starting knot daemon"
+	stage_exec service knot start || exit
+}
+
+test_knot()
+{
+	tell_status "testing knot"
+	stage_test_running knot
+
+	stage_listening 53 8
+	echo "it worked."
+
+	tell_status "testing UDP DNS query"
+	drill    ns1.cadillac.net @"$(get_jail_ip stage)" || exit
+
+	tell_status "testing TCP DNS query"
+	drill -t ns1.cadillac.net @"$(get_jail_ip stage)" || exit
+}
+
+base_snapshot_exists || exit
+create_staged_fs ns1.cadillac.net
+start_staged_jail ns1.cadillac.net
+install_knot
+configure_knot
+start_knot
+test_knot
+promote_staged_jail ns1.cadillac.net
diff --git a/tnpi/ns1.theartfarm.com.sh b/tnpi/ns1.theartfarm.com.sh
new file mode 100755
index 00000000..baa6d8e5
--- /dev/null
+++ b/tnpi/ns1.theartfarm.com.sh
@@ -0,0 +1,83 @@
+#!/bin/sh
+
+set -e
+
+. mail-toaster.sh
+. include/djb.sh
+
+export JAIL_START_EXTRA=""
+export JAIL_CONF_EXTRA=""
+export JAIL_FSTAB=""
+
+configure_tinydns()
+{
+	configure_svscan
+	configure_tinydns4
+	configure_tinydns_data
+	configure_tinydns6
+	stage_sysrc sshd_enable="YES"
+}
+
+configure_tinydns_data()
+{
+	_data_root="$ZFS_DATA_MNT/ns1.theartfarm.com/root"
+	if [ -d "$_data_root" ]; then
+		tell_status "tinydns data already configured"
+		return
+	fi
+
+	tell_status "configuring tinydns data"
+	mv "$STAGE_MNT/var/service/tinydns/root" "$_data_root"
+	tee -a "$_data_root/data" <<EO_EXAMPLE
+.example.com:1.2.3.4:a:259200
+=www.example.com:1.2.3.5:86400
+EO_EXAMPLE
+	stage_exec make -C /data/root
+	stage_exec chown -R tinydns /data/root
+}
+
+test_tinydns()
+{
+	tell_status "testing tinydns"
+	stage_test_running tinydns
+
+	stage_listening 53
+	echo "tinydns is running."
+
+	local _fqdn="ns1.theartfarm.com"
+
+	tell_status "testing UDP DNS query for $_fqdn"
+	drill    "$_fqdn" @"$(get_jail_ip stage)" || exit
+
+	tell_status "testing TCP DNS query for $_fqdn"
+	drill -t "$_fqdn" @"$(get_jail_ip stage)" || exit
+
+	tell_status "switching tinydns IP to deployment IP"
+	get_jail_ip tinydns | tee "$STAGE_MNT/var/service/tinydns/env/IP" "$STAGE_MNT/var/service/axfrdns/env/IP"
+	get_jail_ip6 tinydns | tee "$STAGE_MNT/var/service/tinydns-v6/env/IP" "$STAGE_MNT/var/service/axfrdns-v6/env/IP"
+
+	stage_exec service svscan stop || exit
+	for d in tinydns axfrdns tinydns-v6 axfrdns-v6
+	do
+		if [ -d "$ZFS_DATA_MNT/ns1.theartfarm.com/service/$d" ]; then
+			tell_status "preserving $d service definition"
+		else
+			tell_status "moving $d from staging to production"
+			mv "$STAGE_MNT/var/service/$d" "$ZFS_DATA_MNT/ns1.theartfarm.com/service/"
+		fi
+	done
+	stage_sysrc svscan_servicedir="/data/service"
+}
+
+base_snapshot_exists || exit
+create_staged_fs ns1.theartfarm.com
+start_staged_jail ns1.theartfarm.com
+install_daemontools
+install_ucspi_tcp
+install_djbdns
+configure_tinydns
+configure_axfrdns4
+configure_axfrdns6
+start_tinydns
+test_tinydns
+promote_staged_jail ns1.theartfarm.com
diff --git a/tnpi/ns2.cadillac.net.sh b/tnpi/ns2.cadillac.net.sh
new file mode 100755
index 00000000..539a9d80
--- /dev/null
+++ b/tnpi/ns2.cadillac.net.sh
@@ -0,0 +1,83 @@
+#!/bin/sh
+
+set -e
+
+. mail-toaster.sh
+. include/djb.sh
+
+export JAIL_START_EXTRA=""
+export JAIL_CONF_EXTRA=""
+export JAIL_FSTAB=""
+
+configure_tinydns()
+{
+	configure_svscan
+	configure_tinydns4
+	configure_tinydns_data
+	configure_tinydns6
+	stage_sysrc sshd_enable="YES"
+}
+
+configure_tinydns_data()
+{
+	_data_root="$ZFS_DATA_MNT/ns2.cadillac.net/root"
+	if [ -d "$_data_root" ]; then
+		tell_status "tinydns data already configured"
+		return
+	fi
+
+	tell_status "configuring tinydns data"
+	mv "$STAGE_MNT/var/service/tinydns/root" "$_data_root"
+	tee -a "$_data_root/data" <<EO_EXAMPLE
+.example.com:1.2.3.4:a:259200
+=www.example.com:1.2.3.5:86400
+EO_EXAMPLE
+	stage_exec make -C /data/root
+	stage_exec chown -R tinydns /data/root
+}
+
+test_tinydns()
+{
+	tell_status "testing tinydns"
+	stage_test_running tinydns
+
+	stage_listening 53
+	echo "tinydns is running."
+
+	local _fqdn="ns2.cadillac.net"
+
+	tell_status "testing UDP DNS query for $_fqdn"
+	drill    "$_fqdn" @"$(get_jail_ip stage)" || exit
+
+	tell_status "testing TCP DNS query for $_fqdn"
+	drill -t "$_fqdn" @"$(get_jail_ip stage)" || exit
+
+	tell_status "switching tinydns IP to deployment IP"
+	get_jail_ip tinydns | tee "$STAGE_MNT/var/service/tinydns/env/IP" "$STAGE_MNT/var/service/axfrdns/env/IP"
+	get_jail_ip6 tinydns | tee "$STAGE_MNT/var/service/tinydns-v6/env/IP" "$STAGE_MNT/var/service/axfrdns-v6/env/IP"
+
+	stage_exec service svscan stop || exit
+	for d in tinydns axfrdns tinydns-v6 axfrdns-v6
+	do
+		if [ -d "$ZFS_DATA_MNT/ns2.cadillac.net/service/$d" ]; then
+			tell_status "preserving $d service definition"
+		else
+			tell_status "moving $d from staging to production"
+			mv "$STAGE_MNT/var/service/$d" "$ZFS_DATA_MNT/ns2.cadillac.net/service/"
+		fi
+	done
+	stage_sysrc svscan_servicedir="/data/service"
+}
+
+base_snapshot_exists || exit
+create_staged_fs ns2.cadillac.net
+start_staged_jail ns2.cadillac.net
+install_daemontools
+install_ucspi_tcp
+install_djbdns
+configure_tinydns
+configure_axfrdns4
+configure_axfrdns6
+start_tinydns
+test_tinydns
+promote_staged_jail ns2.cadillac.net
diff --git a/tnpi/ns2.theartfarm.com.sh b/tnpi/ns2.theartfarm.com.sh
new file mode 100755
index 00000000..7677a142
--- /dev/null
+++ b/tnpi/ns2.theartfarm.com.sh
@@ -0,0 +1,77 @@
+#!/bin/sh
+
+# shellcheck disable=1091
+. mail-toaster.sh || exit
+
+export JAIL_START_EXTRA=""
+export JAIL_CONF_EXTRA=""
+
+install_knot()
+{
+	tell_status "installing Knot DNS 3"
+	stage_pkg_install knot3 rsync || exit
+
+	if [ ! -d "$STAGE_MNT/data/home" ]; then
+		mkdir -p "$STAGE_MNT/data/home" || exit
+	fi
+
+	install_nrpe
+}
+
+install_nrpe()
+{
+	if [ -z "$TOASTER_NRPE" ]; then
+		echo "TOASTER_NRPE unset, skipping nrpe plugin"
+		return
+	fi
+
+	tell_status "installing nrpe plugin"
+	stage_pkg_install nrpe3
+	stage_sysrc nrpe3_enable=YES
+	stage_sysrc nrpe3_configfile="/data/etc/nrpe.cfg"
+}
+
+configure_knot()
+{
+	stage_sysrc sshd_enable=YES
+	stage_sysrc knot_enable=YES
+	stage_sysrc knot_config=/data/etc/knot.conf
+
+	for _f in master.password group;
+	do
+		if [ -f "$ZFS_JAIL_MNT/ns2.theartfarm.com/etc/$_f" ]; then
+			cp "$ZFS_JAIL_MNT/ns2.theartfarm.com/etc/$_f" "$STAGE_MNT/etc/"
+			stage_exec pwd_mkdb -p /etc/master.passwd
+		fi
+	done
+}
+
+start_knot()
+{
+	tell_status "starting knot daemon"
+	stage_exec service knot start || exit
+}
+
+test_knot()
+{
+	tell_status "testing knot"
+	stage_test_running knot
+
+	stage_listening 53
+	echo "it worked."
+
+	tell_status "testing UDP DNS query"
+	drill    ns2.theartfarm.com @"$(get_jail_ip stage)" || exit
+
+	tell_status "testing TCP DNS query"
+	drill -t ns2.theartfarm.com @"$(get_jail_ip stage)" || exit
+}
+
+base_snapshot_exists || exit
+create_staged_fs ns2.theartfarm.com
+start_staged_jail ns2.theartfarm.com
+install_knot
+configure_knot
+start_knot
+test_knot
+promote_staged_jail ns2.theartfarm.com
diff --git a/tnpi/ns3.cadillac.net.sh b/tnpi/ns3.cadillac.net.sh
new file mode 100755
index 00000000..8847d720
--- /dev/null
+++ b/tnpi/ns3.cadillac.net.sh
@@ -0,0 +1,86 @@
+#!/bin/sh
+
+. mail-toaster.sh || exit
+
+export JAIL_START_EXTRA=""
+export JAIL_CONF_EXTRA=""
+
+install_nsd()
+{
+	tell_status "installing NSD"
+	stage_pkg_install nsd rsync || exit
+
+	if [ ! -d "$STAGE_MNT/data/home/nsd" ]; then
+		mkdir -p "$STAGE_MNT/data/home/nsd" || exit
+		chown 216:216 "$STAGE_MNT/data/home/nsd"
+	fi
+
+	stage_exec pw user mod nsd -u 216 -g 216 -s /bin/sh -d /data/home/nsd
+}
+
+configure_nsd()
+{
+	stage_sysrc nsd_enable=YES
+	stage_sysrc nsd_config=/data/etc/nsd.conf
+	stage_sysrc sshd_enable=YES
+
+	if [ ! -d "$STAGE_MNT/data/etc" ]; then
+		mkdir "$STAGE_MNT/data/etc"
+	fi
+
+	if [ ! -f "$STAGE_MNT/data/etc/nsd.conf" ]; then
+		tell_status "installing default nsd.conf"
+		cp "$STAGE_MNT/usr/local/etc/nsd/nsd.conf" "$STAGE_MNT/data/etc/"
+	else
+		tell_status "linking custom nsd.conf to /usr/local"
+		rm "$STAGE_MNT/usr/local/etc/nsd/nsd.conf"
+		stage_exec ln -s /data/etc/nsd.conf /usr/local/etc/nsd/nsd.conf
+	fi
+
+	if [ ! -d "$STAGE_MNT/data/etc" ]; then
+		mkdir "$STAGE_MNT/data/etc"
+	fi
+
+	if [ ! -f "$STAGE_MNT/data/etc/nsd.conf" ]; then
+		tell_status "installing default nsd.conf"
+		cp "$STAGE_MNT/usr/local/etc/nsd/nsd.conf" "$STAGE_MNT/data/etc/"
+	fi
+
+	for _f in master.password group;
+	do
+		if [ -f "$ZFS_JAIL_MNT/nsd/etc/$_f" ]; then
+			cp "$ZFS_JAIL_MNT/nsd/etc/$_f" "$STAGE_MNT/etc/"
+			stage_exec pwd_mkdb -p /etc/master.passwd
+		fi
+	done
+}
+
+start_nsd()
+{
+	tell_status "starting nsd daemon"
+	stage_exec service nsd start || exit
+}
+
+test_nsd()
+{
+	tell_status "testing nsd"
+	stage_test_running nsd
+
+	stage_listening 53
+	echo "it worked."
+
+	tell_status "testing UDP DNS query"
+	drill    www.example.com @"$(get_jail_ip stage)" || exit
+
+	tell_status "testing TCP DNS query"
+	drill -t www.example.com @"$(get_jail_ip stage)" || exit
+}
+
+base_snapshot_exists || exit
+create_staged_fs ns3.cadillac.net
+start_staged_jail ns3.cadillac.net
+install_nsd
+configure_nsd
+start_nsd
+test_nsd
+promote_staged_jail ns3.cadillac.net
diff --git a/tnpi/ns3.theartfarm.com.sh b/tnpi/ns3.theartfarm.com.sh
new file mode 100755
index 00000000..ce60c7a6
--- /dev/null
+++ b/tnpi/ns3.theartfarm.com.sh
@@ -0,0 +1,202 @@
+#!/bin/sh
+
+. mail-toaster.sh || exit
+
+export JAIL_START_EXTRA=""
+export JAIL_CONF_EXTRA=""
+
+install_tinydns()
+{
+	tell_status "installing djbdns"
+	stage_pkg_install rsync daemontools || exit
+
+	if [ ! -d "$STAGE_MNT/data/home" ]; then
+		mkdir "$STAGE_MNT/data/home" || exit
+	fi
+	stage_exec pw useradd tinydns -d /data/home/tinydns -m
+
+	tell_status "installing ucspi-tcp with IPv6"
+	stage_make_conf sysutils_ucspi-tcp_SET 'sysutils_ucspi-tcp_SET=IPV6'
+	stage_port_install sysutils/ucspi-tcp || exit
+
+	tell_status "installing djbdns with IPv6"
+	stage_make_conf dns_djbdns_SET 'dns_djbdns_SET=IP6'
+	stage_port_install dns/djbdns || exit
+}
+
+configure_svscan()
+{
+	if [ ! -d "$STAGE_MNT/var/service" ]; then
+		tell_status "creating default service dir"
+		mkdir -p "$STAGE_MNT/var/service" || exit
+	fi
+
+	if [ ! -d "$STAGE_MNT/data/service" ]; then
+		tell_status "creating local service dir"
+		mkdir -p "$STAGE_MNT/data/service" || exit
+	fi
+}
+
+configure_tinydns4()
+{
+	tell_status "creating tinydns server"
+	stage_exec tinydns-conf tinydns bin /var/service/tinydns "$(get_jail_ip stage)"
+	tee "$STAGE_MNT/var/service/tinydns/run" <<EO_TINYDNS_RUN
+#!/bin/sh
+
+# logging enabled
+#exec 2>&1
+
+# logging disabled
+exec 1>/dev/null 2>&1
+
+exec envuidgid tinydns envdir ./env softlimit -d300000 /usr/local/bin/tinydns
+EO_TINYDNS_RUN
+
+	echo "/data/root" > "$STAGE_MNT/var/service/tinydns/env/ROOT" || exit
+}
+
+configure_tinydns6()
+{
+	tell_status "creating tinydns IPv6 server"
+	stage_exec tinydns-conf tinydns bin /var/service/tinydns-v6 "$(get_jail_ip6 stage)"
+	tee "$STAGE_MNT/var/service/tinydns-v6/run" <<EO_TINYDNS_RUN
+#!/bin/sh
+
+# logging enabled
+#exec 2>&1
+
+# logging disabled
+exec 1>/dev/null 2>&1
+
+exec envuidgid tinydns envdir ./env softlimit -d300000 /usr/local/bin/tinydns
+EO_TINYDNS_RUN
+
+	echo "/data/root" > "$STAGE_MNT/var/service/tinydns-v6/env/ROOT" || exit
+}
+
+configure_tinydns()
+{
+	configure_svscan
+	configure_tinydns4
+	configure_tinydns_data
+	stage_sysrc hostname="ns3.theartfarm.com"
+	#configure_tinydns6
+}
+
+configure_tinydns_data()
+{
+	if [ -d "$ZFS_DATA_MNT/tinydns/root" ]; then
+		tell_status "tinydns data already configured"
+		return
+	fi
+
+	tell_status "configuring tinydns data"
+	mv "$STAGE_MNT/var/service/tinydns/root" "$ZFS_DATA_MNT/tinydns/root"
+	tee -a "$ZFS_DATA_MNT/tinydns/root/data" <<EO_EXAMPLE
+.example.com:1.2.3.4:a:259200
+=www.example.com:1.2.3.5:86400
+EO_EXAMPLE
+	stage_exec make -C /data/root
+	stage_exec chown -R tinydns /data/root
+}
+
+configure_axfrdns()
+{
+	tell_status "creating axfrdns server"
+	stage_exec axfrdns-conf tinydns bin /var/service/axfrdns /data "$(get_jail_ip stage)"
+	tee "$STAGE_MNT/var/service/axfrdns/run" <<'EO_AXFRDNS_RUN'
+#!/bin/sh
+
+# logging enabled
+#exec 2>&1
+
+# logging disabled
+exec 1>/dev/null 2>&1
+
+exec envdir ./env sh -c '
+	exec envuidgid tinydns softlimit -d300000 tcpserver -vDRHl0 -x tcp.cdb -- "$IP" 53 /usr/local/bin/axfrdns
+'
+EO_AXFRDNS_RUN
+
+	tee "$STAGE_MNT/var/service/axfrdns/tcp" <<EOTCP
+:allow,AXFR=""
+:deny
+EOTCP
+	stage_exec make -C /var/service/axfrdns
+}
+
+configure_axfrdns6()
+{
+	tell_status "creating axfrdns IPv6 server"
+	stage_exec axfrdns-conf tinydns bin /var/service/axfrdns-v6 /data "$(get_jail_ip6 stage)"
+	tee "$STAGE_MNT/var/service/axfrdns-v6/run" <<'EO_AXFRDNS_RUN'
+#!/bin/sh
+
+# logging enabled
+#exec 2>&1
+
+# logging disabled
+exec 1>/dev/null 2>&1
+
+exec envdir ./env sh -c '
+	exec envuidgid tinydns softlimit -d300000 tcpserver -vDRHl0 -x tcp.cdb -- "$IP" 53 /usr/local/bin/axfrdns
+'
+EO_AXFRDNS_RUN
+
+	tee "$STAGE_MNT/var/service/axfrdns-v6/tcp" <<EOTCP6
+:allow,AXFR=""
+:deny
+EOTCP6
+	stage_exec make -C /var/service/axfrdns-v6
+}
+
+start_tinydns()
+{
+	tell_status "starting dns daemons"
+	stage_sysrc svscan_enable="YES"
+	stage_sysrc sshd_enable="YES"
+	stage_exec service svscan start || exit
+}
+
+test_tinydns()
+{
+	tell_status "testing tinydns"
+	stage_test_running tinydns
+
+	stage_listening 53
+	echo "tinydns is running."
+
+	local _fqdn="ns3.theartfarm.com"
+
+	tell_status "testing UDP DNS query"
+	drill    "$_fqdn" @"$(get_jail_ip stage)" || exit
+
+	tell_status "testing TCP DNS query"
+	drill -t "$_fqdn" @"$(get_jail_ip stage)" || exit
+
+	tell_status "switching tinydns IP to deployment IP"
+	echo 138.210.133.60 | tee "$STAGE_MNT/var/service/tinydns/env/IP" "$STAGE_MNT/var/service/axfrdns/env/IP"
+	#get_jail_ip6 ns3.theartfarm.com | tee "$STAGE_MNT/var/service/tinydns-v6/env/IP" "$STAGE_MNT/var/service/axfrdns-v6/env/IP"
+
+	stage_exec service svscan stop || exit
+	for d in tinydns axfrdns tinydns-v6 axfrdns-v6
+	do
+		if [ ! -d "$ZFS_DATA_MNT/tinydns/service/$d" ]; then
+			tell_status "moving $d from staging to production"
+			mv "$STAGE_MNT/var/service/$d" "$ZFS_DATA_MNT/tinydns/service/"
+		fi
+	done
+	stage_sysrc svscan_servicedir="/data/service"
+}
+
+base_snapshot_exists || exit
+create_staged_fs ns3.theartfarm.com
+start_staged_jail ns3.theartfarm.com
+install_tinydns
+configure_tinydns
+configure_axfrdns
+#configure_axfrdns6
+start_tinydns
+test_tinydns
+promote_staged_jail ns3.theartfarm.com
diff --git a/tnpi/sigels.sh b/tnpi/sigels.sh
new file mode 100755
index 00000000..8c50fffc
--- /dev/null
+++ b/tnpi/sigels.sh
@@ -0,0 +1,119 @@
+#!/bin/sh
+
+. mail-toaster.sh || exit
+
+export JAIL_START_EXTRA=""
+export JAIL_CONF_EXTRA=""
+
+_dkim_private_key="$ZFS_DATA_MNT/sigels/dkim/$TOASTER_MAIL_DOMAIN.private"
+_has_dkim=""
+if [ -f "$_dkim_private_key" ]; then _has_dkim=1; fi
+
+install_postfix()
+{
+	tell_status "installing postfix"
+	stage_pkg_install postfix-sasl opendkim || exit
+
+	if [ -n "$TOASTER_NRPE" ]; then
+		tell_status "installing nagios-plugins"
+		stage_pkg_install nagios-plugins || exit
+	fi
+}
+
+configure_opendkim()
+{
+	stage_sysrc milteropendkim_enable=YES
+	stage_sysrc milteropendkim_cfgfile=/data/etc/opendkim.conf
+
+	tell_status "See http://www.opendkim.org/opendkim-README"
+
+	if [ ! -d "$STAGE_MNT/data/etc" ]; then mkdir "$STAGE_MNT/data/etc"; fi
+	if [ ! -d "$STAGE_MNT/data/dkim" ]; then mkdir "$STAGE_MNT/data/dkim"; fi
+
+	if [ -f "$STAGE_MNT/data/etc/opendkim.conf" ]; then
+		echo "opendkim config retained"
+		return
+	fi
+
+	sed \
+		-e "/^Domain/ s/example.com/$TOASTER_MAIL_DOMAIN/"  \
+		-e "/^KeyFile/ s/\/.*$/\/data\/dkim\/$TOASTER_MAIL_DOMAIN.private/"  \
+		-e '/^Socket/ s/inet:port@localhost/inet:2016/' \
+		-e "/^Selector/ s/my-selector-name/$(date '+%b%Y' | tr '[:upper:]' '[:lower:]')/" \
+		"$STAGE_MNT/usr/local/etc/mail/opendkim.conf.sample" \
+		> "$STAGE_MNT/data/etc/opendkim.conf"
+}
+
+configure_postfix()
+{
+	stage_sysrc postfix_enable=YES
+	stage_exec postconf -e "myhostname = sigels.com"
+	stage_exec postconf -e 'smtp_use_tls=yes'
+	stage_exec postconf -e 'smtp_tls_security_level = may'
+	stage_exec postconf -e "mynetworks = ${JAIL_NET_PREFIX}.0${JAIL_NET_MASK}"
+
+	if [ -f "$ZFS_DATA_MNT/etc/sasl_passwd" ]; then
+		stage_exec postmap /data/etc/sasl_passwd
+		stage_exec postconf -e 'smtp_sasl_auth_enable = yes'
+		stage_exec postconf -e 'smtp_sasl_password_maps = hash:/data/etc/sasl_passwd'
+	fi
+
+	if [ -n "$TOASTER_NRPE" ]; then
+		stage_sysrc nrpe3_enable=YES
+		stage_sysrc nrpe3_configfile="/data/etc/nrpe.cfg"
+	fi
+
+	for _f in master main
+	do
+		if [ -f "$ZFS_DATA_MNT/sigels/etc/$_f.cf" ]; then
+			cp "$ZFS_DATA_MNT/sigels/etc/$_f.cf" "$STAGE_MNT/usr/local/etc/postfix/"
+		fi
+	done
+
+	if [ -f "$ZFS_JAIL_MNT/sigels/etc/aliases" ]; then
+		tell_status "preserving /etc/aliases"
+		cp "$ZFS_JAIL_MNT/sigels/etc/aliases" "$STAGE_MNT/etc/aliases"
+		stage_exec newaliases
+	fi
+
+	if [ ! -f "$ZFS_JAIL_MNT/usr/local/etc/mail/mailer.conf" ]; then
+		if [ ! -d "$ZFS_JAIL_MNT/usr/local/etc/mail" ]; then
+			mkdir "$ZFS_JAIL_MNT/usr/local/etc/mail"
+		fi
+		stage_exec install -m 0644 /usr/local/share/postfix/mailer.conf.postfix /usr/local/etc/mail/mailer.conf
+	fi
+
+	configure_opendkim
+}
+
+start_postfix()
+{
+	tell_status "starting postfix"
+	if [ -n "$_has_dkim" ]; then
+		stage_exec service milter-opendkim start
+	fi
+	stage_exec service postfix start || exit
+}
+
+test_postfix()
+{
+	if [ -n "$_has_dkim" ]; then
+		tell_status "testing opendkim"
+		stage_test_running opendkim
+		stage_listening 2016
+	fi
+
+	tell_status "testing postfix"
+	stage_test_running master
+	stage_listening 25
+	echo "it worked."
+}
+
+base_snapshot_exists || exit
+create_staged_fs sigels
+start_staged_jail sigels
+install_postfix
+configure_postfix
+start_postfix
+test_postfix
+promote_staged_jail sigels
diff --git a/provision/whmcs.sh b/tnpi/whmcs.sh
similarity index 100%
rename from provision/whmcs.sh
rename to tnpi/whmcs.sh
diff --git a/tnpi/wordpress_simerson.sh b/tnpi/wordpress_simerson.sh
new file mode 100755
index 00000000..6c220784
--- /dev/null
+++ b/tnpi/wordpress_simerson.sh
@@ -0,0 +1,209 @@
+#!/bin/sh
+
+# shellcheck disable=1091
+. mail-toaster.sh || exit
+
+export JAIL_START_EXTRA=""
+export JAIL_CONF_EXTRA=""
+
+mt6-include php
+mt6-include nginx
+
+install_wordpress()
+{
+	assure_jail mysql
+
+	install_nginx
+	install_php 74 "ctype curl ftp gd hash json mysqli session tokenizer xml zip zlib"
+
+	# stage_pkg_install wordpress
+	stage_port_install www/wordpress || exit
+}
+
+configure_nginx_standalone()
+{
+	if [ -f "$STAGE_MNT/data/etc/nginx-locations.conf" ]; then
+		tell_status "preserving /data/etc/nginx-locations.conf"
+		return
+	fi
+
+	tee "$STAGE_MNT/data/etc/nginx-locations.conf" <<'EO_WP_NGINX'
+
+	server_name     wordpress;
+	index		index.php;
+	root		/usr/local/www;
+
+	location = /favicon.ico {
+		log_not_found off;
+		access_log off;
+	}
+
+	location = /robots.txt {
+		allow all;
+		log_not_found off;
+		access_log off;
+	}
+
+	location / {
+		# include "?$args" so non-default permalinks don't break
+		try_files $uri $uri/ /index.php?$args;
+	}
+
+	location ~ \.php$ {
+		include        /usr/local/etc/nginx/fastcgi_params;
+		fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
+		fastcgi_intercept_errors on;
+		fastcgi_pass php;
+	}
+
+	location ~* \.(?:css|gif|htc|ico|js|jpe?g|png|swf)$ {
+		expires max;
+		log_not_found off;
+	}
+
+EO_WP_NGINX
+
+}
+
+configure_nginx_with_path()
+{
+	if [ -f "$STAGE_MNT/data/etc/nginx-locations.conf" ]; then
+		tell_status "preserving /data/etc/nginx-locations.conf"
+		return
+	fi
+
+	local _uri_path="$1"
+	if [ -z "$_uri_path" ]; then
+		tell_status "using /wpn (wordpress network) for WP url path"
+		_uri_path="/wpn"
+	fi
+
+	tee "$STAGE_MNT/data/etc/nginx-locations.conf" <<'EO_WP_NGINX'
+
+	server_name     wordpress;
+	index		index.php;
+	root		/usr/local/www/wordpress;
+
+	# all PHP scripts, optionally within /wpn/
+	location ~ ^/(?:wpn/)?(?<script>.+\.php)(?<path_info>.*)$ {
+
+		include        /usr/local/etc/nginx/fastcgi_params;
+		fastcgi_index  index.php;
+		fastcgi_intercept_errors on;
+
+		fastcgi_param SCRIPT_FILENAME $document_root/$script;
+		fastcgi_param SCRIPT_NAME $script;
+		fastcgi_param PATH_INFO $path_info;
+
+		fastcgi_pass   php;
+	}
+
+	# wordpress served with URL path
+	location /wpn/ {
+		alias          /usr/local/www/wordpress/;
+
+		# say "yes we can" to permalinks
+		try_files $uri $uri/ /index.php?q=$uri&$args;
+	}
+
+	location ~* \.(?:css|gif|htc|ico|js|jpe?g|png|swf)$ {
+		expires max;
+		log_not_found off;
+	}
+
+EO_WP_NGINX
+
+}
+
+configure_wp_config()
+{
+	local _local_content="$ZFS_DATA_MNT/wordpress/content"
+	local _wp_install="$ZFS_JAIL_MNT/wordpress/usr/local/www/wordpress"
+	local _wp_stage="$STAGE_MNT/usr/local/www/wordpress"
+
+	if [ ! -d "$_local_content" ]; then
+		tell_status "copying wp-content to /data"
+		cp -r "$_wp_stage/wp-content" "$_local_content"
+		chown -R 80:80 "$_local_content"
+	else
+		chown -R 80:80 "$_wp_stage/wp-content"
+	fi
+
+	if [ ! -d "$_local_content/uploads" ]; then
+		mkdir "$_local_content/uploads"
+		chown 80:80 "$_local_content/uploads"
+	fi
+
+	local _installed_config="$_wp_install/wp-config.php"
+	if [ -f "$_installed_config" ]; then
+		tell_status "installing local wp-config.php"
+		cp "$_installed_config" "$STAGE_MNT/usr/local/www/wordpress/" || exit
+		return
+	else
+		tell_status "post-install configuration will be required"
+		sleep 2
+	fi
+
+	tell_status "don't forget to add these to wp-config.php!"
+	tee /dev/null <<'EO_WP_NGINX'
+
+// define('WP_CONTENT_DIR', '/data/content');
+// define('WP_CONTENT_URL', '//www.example.org/wpn/content');
+
+// Proxy settings
+if ($_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') $_SERVER['HTTPS']='on';
+
+if ( isset($_SERVER['HTTP_X_FORWARDED_FOR']) && !empty($_SERVER['HTTP_X_FORWARDED_FOR']) ) {
+	$ips = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']);
+	$_SERVER['REMOTE_ADDR'] = trim($ips[0]);
+} elseif ( isset($_SERVER['HTTP_X_REAL_IP']) && !empty($_SERVER['HTTP_X_REAL_IP']) ) {
+	$_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_X_REAL_IP'];
+} elseif ( isset($_SERVER['HTTP_CLIENT_IP']) && !empty($_SERVER['HTTP_CLIENT_IP']) ) {
+	$_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_CLIENT_IP'];
+}
+
+define('WP_ALLOW_MULTISITE', true);
+define('MULTISITE', true);
+define('SUBDOMAIN_INSTALL', true);
+define('DOMAIN_CURRENT_SITE', 'example.org');
+define('PATH_CURRENT_SITE', '/');
+define('SITE_ID_CURRENT_SITE', 1);
+define('BLOG_ID_CURRENT_SITE', 1);
+EO_WP_NGINX
+
+}
+
+configure_wordpress()
+{
+	configure_php wordpress
+	configure_nginx wordpress
+
+	configure_nginx_standalone
+	# configure_nginx_with_path /wpn
+
+	configure_wp_config
+
+	stage_sysrc nginx_flags='-c /data/etc/nginx.conf'
+}
+
+start_wordpress()
+{
+	start_php_fpm
+	start_nginx
+}
+
+test_wordpress()
+{
+	test_php_fpm
+	test_nginx
+	echo "it worked"
+}
+
+base_snapshot_exists || exit
+create_staged_fs wordpress
+start_staged_jail wordpress
+install_wordpress
+configure_wordpress
+start_wordpress
+test_wordpress
+promote_staged_jail wordpress_simerson