From da037e49e39a62500a4189b460d1036ca52279b9 Mon Sep 17 00:00:00 2001
From: Matt Simerson <matt@tnpi.net>
Date: Mon, 11 Mar 2024 14:53:16 -0700
Subject: [PATCH 01/10] postfix: fix stage path

- provision/*: replace many '|| exit' with 'set -e'
- *: git-lite -> git-tiny
- base: configure dma if available, skip ssmtp
- base: added assure_jail_nic, add devfs to fstab
- base: add TOASTER_BASE_PKGS, so a config options installs packages in the base jail
- dcc: add PF rdr and allow rules
- dns: create dns/control
- dovecot & mongo: add sysvipc to START_EXTRA
- editor: move vim config into include/editor
- editor: added TOASTER_EDITOR setting
- elastic: add post_configure()
- elastic: config stage to work
- elastic: check for dir before create
- elastic: install beats *after* testing ES & kibana
- elastic: kibana registration hoop jumping
- es: set correct kibana rc name
- haproxy: add pf allow rules
- host: direct error handling in plumb_nic
- host: quieter hosts
- mongo: set local db and config *after* testing
- mongo: check for CPU with AVX support
- mta stuff into include/mta (sendmail, dma, ssmtp)
  - added TOASTER_BASE_MTA setting
  - host: use include/mta
- mt: remove lesser known / deprecated opts
- mt: use safe name for jails .conf file
- mt: more error handling
- mt: inline pfrule.sh
- mt: added jail_is_running
- mt: overwrite pfrule.sh (not append)
- nagios: allow raw sockets
- postfix: use port installed newaliases cmd
- rsnapshot: move * outside of quotes so glob works
- shell: in profile, add ll and jexecl
- tinydns: refactor djb installers into include/djb
- unifi: install v8
- unifi: v8 wants openjdk17
- vpopmail: switch back to port build
- vpopmail: install gmake port sooner
- vpopmail: get random pass w/o special shell chars
---
 include/djb.sh             | 174 +++++++++++++++++++++++++++++++++++++
 include/editor.sh          |  88 +++++++++++++++++++
 include/mta.sh             | 107 +++++++++++++++++++++++
 include/shell.sh           |   8 ++
 mail-toaster.sh            | 139 ++++++++++++++++++++---------
 provision/base.sh          | 112 +++++++++---------------
 provision/clamav.sh        |  38 ++++----
 provision/dcc.sh           |  20 ++++-
 provision/dns.sh           |  22 +++--
 provision/dovecot.sh       | 117 ++++++++++++++++---------
 provision/elasticsearch.sh | 103 +++++++++++++---------
 provision/geoip.sh         |  18 ++--
 provision/haproxy.sh       |  27 +++---
 provision/haraka.sh        |  42 ++++-----
 provision/host.sh          |  67 ++++++--------
 provision/letsencrypt.sh   |   4 +-
 provision/mailtest.sh      |  10 ++-
 provision/mongodb.sh       |  44 ++++++----
 provision/mysql.sh         |  20 +++--
 provision/nagios.sh        |   3 +-
 provision/nictool.sh       |   2 +-
 provision/postfix.sh       |  10 +--
 provision/roundcube.sh     |  36 ++++----
 provision/rsnapshot.sh     |   2 +-
 provision/rspamd.sh        |   8 +-
 provision/snappymail.sh    |  12 +--
 provision/spamassassin.sh  |  32 +++----
 provision/tinydns.sh       | 148 +++----------------------------
 provision/unifi.sh         |  12 ++-
 provision/vpopmail.sh      |  51 ++++++-----
 provision/webmail.sh       |  12 +--
 provision/wildduck.sh      |   2 +-
 provision/zonemta.sh       |   2 +-
 test/vmware.sh             |   2 +-
 34 files changed, 945 insertions(+), 549 deletions(-)
 create mode 100644 include/djb.sh
 create mode 100644 include/editor.sh
 create mode 100644 include/mta.sh

diff --git a/include/djb.sh b/include/djb.sh
new file mode 100644
index 00000000..3374553e
--- /dev/null
+++ b/include/djb.sh
@@ -0,0 +1,174 @@
+#!/bin/sh
+
+set -e
+
+install_daemontools()
+{
+	tell_status "installing daemontools"
+	stage_pkg_install rsync daemontools
+}
+
+install_ucspi_tcp()
+{
+        tell_status "installing ucspi-tcp with IPv6"
+	stage_make_conf sysutils_ucspi-tcp_SET 'sysutils_ucspi-tcp_SET=IPV6'
+	stage_make_conf sysutils_ucspi-tcp_UNSET 'sysutils_ucspi-tcp_UNSET=LIMITS RBL2SMTPD RSS_DIFF SSL'
+	stage_port_install sysutils/ucspi-tcp
+}
+
+install_djbdns()
+{
+	if [ ! -d "$STAGE_MNT/data/home" ]; then
+		mkdir "$STAGE_MNT/data/home"
+	fi
+
+	stage_pkg_install rsync
+
+	stage_exec pw useradd tinydns -d /data/home/tinydns -m
+
+	install_djbdns_source
+}
+
+install_djbdns_port()
+{
+	tell_status "installing djbdns port with IPv6"
+	stage_make_conf dns_djbdns_SET 'dns_djbdns_SET=IP6'
+	stage_port_install dns/djbdns
+}
+
+install_djbdns_source()
+{
+	tell_status "installing djbdns + IPv6 from source"
+
+	store_config "$STAGE_MNT/usr/src/djb.sh" "overwrite" <<EO_DJBDNS_INSTALLER
+#!/bin/sh
+
+set -e
+
+cd /usr/src
+if [ -d djbdns-1.05 ]; then rm -r djbdns-1.05; fi
+fetch -m http://cr.yp.to/djbdns/djbdns-1.05.tar.gz
+fetch -m http://www.fefe.de/dns/djbdns-1.05-test32.diff.xz
+tar -xzf djbdns-1.05.tar.gz
+cd djbdns-1.05
+xzcat ../djbdns-1.05-test32.diff.xz | patch
+echo "cc" > conf-cc
+echo 'cc -s' > conf-ld
+sed -i .bak -e 's/"\/"/auto_home/; s/02755/0755/g' hier.c
+fetch -q -o - https://www.internic.net/domain/named.root \
+    | grep ' A ' \
+    | awk '{ print $4 }' \
+    > dnsroots.global
+make setup check
+EO_DJBDNS_INSTALLER
+	stage_exec sh /usr/src/djb.sh
+}
+
+configure_svscan()
+{
+	if [ ! -d "$STAGE_MNT/var/service" ]; then
+		tell_status "creating default service dir"
+		mkdir -p "$STAGE_MNT/var/service"
+	fi
+
+	if [ ! -d "$STAGE_MNT/data/service" ]; then
+		tell_status "creating local service dir"
+		mkdir -p "$STAGE_MNT/data/service"
+	fi
+
+	stage_sysrc svscan_enable="YES"
+}
+
+configure_tinydns4()
+{
+	tell_status "creating tinydns server"
+	stage_exec tinydns-conf tinydns bin /var/service/tinydns "$(get_jail_ip stage)"
+	store_config "$STAGE_MNT/var/service/tinydns/run" "overwrite" <<EO_TINYDNS_RUN
+#!/bin/sh
+
+# logging enabled
+#exec 2>&1
+
+# logging disabled
+exec 1>/dev/null 2>&1
+
+exec envuidgid tinydns envdir ./env softlimit -d300000 /usr/local/bin/tinydns
+EO_TINYDNS_RUN
+
+	echo "/data/root" > "$STAGE_MNT/var/service/tinydns/env/ROOT"
+}
+
+configure_tinydns6()
+{
+	tell_status "creating tinydns IPv6 server"
+	stage_exec tinydns-conf tinydns bin /var/service/tinydns-v6 "$(get_jail_ip6 stage)"
+	store_config "$STAGE_MNT/var/service/tinydns-v6/run" "overwrite" <<EO_TINYDNS_RUN
+#!/bin/sh
+
+# logging enabled
+#exec 2>&1
+
+# logging disabled
+exec 1>/dev/null 2>&1
+
+exec envuidgid tinydns envdir ./env softlimit -d300000 /usr/local/bin/tinydns
+EO_TINYDNS_RUN
+
+	echo "/data/root" > "$STAGE_MNT/var/service/tinydns-v6/env/ROOT"
+}
+
+configure_axfrdns4()
+{
+	tell_status "creating axfrdns server"
+	stage_exec axfrdns-conf tinydns bin /var/service/axfrdns /data "$(get_jail_ip stage)"
+	store_config "$STAGE_MNT/var/service/axfrdns/run" "overwrite" <<'EO_AXFRDNS_RUN'
+#!/bin/sh
+
+# logging enabled
+#exec 2>&1
+
+# logging disabled
+exec 1>/dev/null 2>&1
+
+exec envdir ./env sh -c '
+        exec envuidgid tinydns softlimit -d300000 tcpserver -vDRHl0 -x tcp.cdb -- "$IP" 53 /usr/local/bin/axfrdns
+'
+EO_AXFRDNS_RUN
+
+	store_config "$STAGE_MNT/var/service/axfrdns/tcp" "overwrite" <<EOTCP
+:allow,AXFR=""
+:deny
+EOTCP
+	stage_exec make -C /var/service/axfrdns
+}
+
+configure_axfrdns6()
+{
+	tell_status "creating axfrdns IPv6 server"
+	stage_exec axfrdns-conf tinydns bin /var/service/axfrdns-v6 /data "$(get_jail_ip6 stage)"
+	store_config "$STAGE_MNT/var/service/axfrdns-v6/run" "overwrite" <<'EO_AXFRDNS_RUN'
+#!/bin/sh
+
+# logging enabled
+#exec 2>&1
+
+# logging disabled
+exec 1>/dev/null 2>&1
+
+exec envdir ./env sh -c '
+        exec envuidgid tinydns softlimit -d300000 tcpserver -vDRHl0 -x tcp.cdb -- "$IP" 53 /usr/local/bin/axfrdns
+'
+EO_AXFRDNS_RUN
+
+	store_config "$STAGE_MNT/var/service/axfrdns-v6/tcp" "overwrite" <<EOTCP6
+:allow,AXFR=""
+:deny
+EOTCP6
+	stage_exec make -C /var/service/axfrdns-v6
+}
+
+start_tinydns()
+{
+	tell_status "starting dns daemons"
+	stage_exec service svscan start
+}
diff --git a/include/editor.sh b/include/editor.sh
new file mode 100644
index 00000000..0ce907f5
--- /dev/null
+++ b/include/editor.sh
@@ -0,0 +1,88 @@
+#!/bin/sh
+
+configure_vim_tiny()
+{
+	if jail_is_running stage; then
+		stage_pkg_install vim-tiny
+	else
+		pkg install vim-tiny
+	fi
+
+	install_vimrc
+
+	# vim-tiny has no syntax or color files, so disable some stuff
+	sed -i '' \
+		-e 's/^syntax on/" syntax on/' \
+		-e 's/^colorscheme/" colorscheme/' \
+		-e 's/^set number/" set number/' \
+		-e 's/^set cursorline/" set cursorline/' \
+		-e 's/^set relativenumber/" set relativenumber/' \
+		"$_base/vimrc"
+}
+
+configure_vim()
+{
+	if jail_is_running stage; then
+		stage_pkg_install vim
+	else
+		pkg install vim
+	fi
+
+	install_vimrc
+
+	sed -i '' \
+		-e 's/set termguicolors/" set termguicolors/' \
+		-e 's/^set number/" set number/' \
+		-e 's/^set cursorline/" set cursorline/' \
+		-e 's/^set relativenumber/" set relativenumber/' \
+		"$_base/vimrc"
+
+	if fetch -m -o /usr/local/share/vim/vim91/colors/gruvbox.vim https://raw.githubusercontent.com/morhetz/gruvbox/master/colors/gruvbox.vim;
+	then
+		sed -i '' \
+			-e 's/^colorscheme.*/colorscheme gruvbox/' \
+			"$_base/vimrc"
+	fi
+}
+
+install_vimrc()
+{
+	tell_status "installing vimrc"
+
+	local _vimdir="$_base/usr/local/etc/vim"
+	if [ ! -d "$_vimdir" ]; then
+		mkdir -p "$_vimdir" || exit
+	fi
+
+	fetch -m -o "$_vimdir/vimrc" https://raw.githubusercontent.com/nandalopes/vim-for-server/main/vimrc
+}
+
+configure_neovim()
+{
+	if jail_is_running stage; then
+		stage_pkg_install neovim
+	else
+		pkg install neovim
+	fi
+
+	# todo
+}
+
+configure_editor()
+{
+	local _base=${1:-""}
+
+	case "$TOASTER_EDITOR" in
+		neovim)
+			configure_neovim
+			;;
+		vim-tiny)
+			configure_vim_tiny
+			;;
+		vim)
+			configure_vim
+			;;
+		vi) ;;
+		*)  ;;
+	esac
+}
diff --git a/include/mta.sh b/include/mta.sh
new file mode 100644
index 00000000..44bed750
--- /dev/null
+++ b/include/mta.sh
@@ -0,0 +1,107 @@
+#!/bin/sh
+
+configure_mta()
+{
+	local _base=${1:-""}
+	local _mta=${2:-"$TOASTER_BASE_MTA"}
+
+	if [ "$_mta" = "dma" ] && [ -x "$_base/usr/libexec/dma" ]; then
+		disable_sendmail
+		enable_dma
+	elif [ "$_mta" = "sendmail" ]; then
+		enable_sendmail
+	elif [ -x "$_base/usr/libexec/dma" ]; then
+		disable_sendmail
+		enable_dma
+	else
+		disable_sendmail
+		install_ssmtp
+	fi
+}
+
+enable_sendmail()
+{
+	sysrc -f "$_base/etc/rc.conf" sendmail_enable=YES sendmail_outbound_enable=YES
+
+	if jail_is_running stage; then
+		stage_exec service sendmail start
+	else
+		service sendmail start
+	fi
+
+	set_root_alias
+
+	cp "$_base/usr/share/examples/sendmail/mailer.conf" "$_base/etc/mail/mailer.conf"
+}
+
+disable_sendmail()
+{
+	if jail_is_running stage; then
+		if pgrep -j stage sendmail; then stage_exec service sendmail onestop; fi
+	else
+		if pgrep -j none sendmail; then service sendmail onestop; fi
+	fi
+
+	sysrc -f "$_base/etc/rc.conf" sendmail_enable=NONE sendmail_outbound_enable=NONE
+}
+
+set_root_alias()
+{
+	local _aliases="$_base/etc/mail/aliases"
+
+	if grep -q my.domain "$_aliases"; then
+		tell_status "setting root email in $_aliases to $TOASTER_ADMIN_EMAIL"
+
+		sed -i '' \
+			-e "/^# root:/ s/^# //" \
+			-e "/^root/ s/me@my.domain/$TOASTER_ADMIN_EMAIL/" \
+			"$_aliases"
+	fi
+}
+
+enable_dma()
+{
+	tell_status "setting up dma"
+	cp "$_base/usr/share/examples/dma/mailer.conf" "$_base/etc/mail/mailer.conf"
+
+	echo "dma.conf: $_base/etc/dma/dma.conf"
+	sed -i '' \
+		-e "s/^#SMARTHOST/SMARTHOST $TOASTER_MSA/" \
+		"$_base/etc/dma/dma.conf"
+
+	set_root_alias
+}
+
+install_ssmtp()
+{
+	tell_status "installing ssmtp"
+
+	if jail_is_running stage; then
+		stage_pkg_install ssmtp
+	else
+		pkg install ssmtp
+	fi
+
+	tell_status "configuring ssmtp"
+	if [ ! -f "$_base/usr/local/etc/ssmtp/revaliases" ]; then
+		cp "$_base/usr/local/etc/ssmtp/revaliases.sample" \
+		   "$_base/usr/local/etc/ssmtp/revaliases"
+	fi
+
+	sed -e "/^root=/ s/postmaster/$TOASTER_ADMIN_EMAIL/" \
+		-e "/^mailhub=/ s/=mail/=$TOASTER_MSA/" \
+		-e "/^rewriteDomain=/ s/=\$/=$TOASTER_MAIL_DOMAIN/" \
+		-e '/^#FromLineOverride=YES/ s/#//' \
+		"$_base/usr/local/etc/ssmtp/ssmtp.conf.sample" \
+		> "$_base/usr/local/etc/ssmtp/ssmtp.conf" || exit
+
+	tee "$_base/etc/mail/mailer.conf" <<EO_MAILER_CONF
+sendmail	/usr/local/sbin/ssmtp
+send-mail	/usr/local/sbin/ssmtp
+mailq		/usr/local/sbin/ssmtp
+newaliases	/usr/local/sbin/ssmtp
+hoststat	/usr/bin/true
+purgestat	/usr/bin/true
+EO_MAILER_CONF
+
+}
diff --git a/include/shell.sh b/include/shell.sh
index 33629081..b070096b 100644
--- a/include/shell.sh
+++ b/include/shell.sh
@@ -41,6 +41,7 @@ export HISTIGNORE="&:[bf]g:exit"
 shopt -s histappend
 shopt -s cdspell
 alias h="history 200"
+alias ll="ls -alFG"
 EO_BASH_PROFILE
 
 	if ! grep -qs profile "$1"; then
@@ -66,6 +67,13 @@ case $(id -u) in
     0) PS1="${PS1}# ";;
     *) PS1="${PS1}$ ";;
 esac
+
+jexecl() {
+  if   [ -z "$1" ]; then /usr/sbin/jexec;
+  elif [ -n "$2" ]; then /usr/sbin/jexec ${@:1};
+  else /usr/sbin/jexec $1 login -f -h $(hostname) root;
+  fi
+}
 EO_BOURNE_SHELL
 	fi
 
diff --git a/mail-toaster.sh b/mail-toaster.sh
index 670b0e4e..e8835dbc 100755
--- a/mail-toaster.sh
+++ b/mail-toaster.sh
@@ -77,26 +77,22 @@ export JAIL_NET6="$(get_random_ip6net)"
 export ZFS_VOL="zroot"
 export ZFS_JAIL_MNT="/jails"
 export ZFS_DATA_MNT="/data"
-export TOASTER_MARIADB="0"
+export TOASTER_EDITOR="vim-tiny"
 export TOASTER_MSA="haraka"
 export TOASTER_MYSQL="1"
 export TOASTER_MYSQL_PASS=""
 export TOASTER_NRPE=""
 export TOASTER_PKG_AUDIT="0"
 export TOASTER_PKG_BRANCH="latest"
-export TOASTER_QMHANDLE="0"
-export TOASTER_SENTRY=""
 export TOASTER_USE_TMPFS="0"
 export TOASTER_VPOPMAIL_CLEAR="1"
 export TOASTER_VPOPMAIL_EXT="0"
 export CLAMAV_FANGFRISCH="0"
-export CLAMAV_UNOFFICIAL="0"
 export MAXMIND_LICENSE_KEY=""
 export ROUNDCUBE_SQL="0"
 export ROUNDCUBE_DEFAULT_HOST=""
 export ROUNDCUBE_PRODUCT_NAME="Roundcube Webmail"
 export ROUNDCUBE_ATTACHMENT_SIZE_MB="25"
-export SQUIRREL_SQL="0"
 
 EO_MT_CONF
 
@@ -173,6 +169,9 @@ export ZFS_JAIL_MNT=${ZFS_JAIL_MNT:="/jails"}
 export ZFS_DATA_MNT=${ZFS_DATA_MNT:="/data"}
 export FBSD_MIRROR=${FBSD_MIRROR:="ftp://ftp.freebsd.org"}
 
+export TOASTER_BASE_MTA=${TOASTER_BASE_MTA:=""}
+export TOASTER_BASE_PKGS=${TOASTER_BASE_PKGS:="pkg ca_root_nss"}
+export TOASTER_EDITOR=${TOASTER_EDITOR:="vi"}
 # See https://github.com/msimerson/Mail-Toaster-6/wiki/MySQL
 export TOASTER_MYSQL=${TOASTER_MYSQL:="1"}
 export TOASTER_MARIADB=${TOASTER_MARIADB:="0"}
@@ -180,6 +179,7 @@ export TOASTER_NTP=${TOASTER_NTP:="ntp"}
 export TOASTER_MSA=${TOASTER_MSA:="haraka"}
 export TOASTER_PKG_AUDIT=${TOASTER_PKG_AUDIT:="0"}
 export TOASTER_PKG_BRANCH=${TOASTER_PKG_BRANCH:="latest"}
+export TOASTER_USE_TMPFS=${TOASTER_USE_TMPFS:="0"}
 export TOASTER_VPOPMAIL_CLEAR=${TOASTER_VPOPMAIL_CLEAR:="1"}
 export TOASTER_VPOPMAIL_EXT=${TOASTER_VPOPMAIL_EXT:="0"}
 export TOASTER_VQADMIN=${TOASTER_VQADMIN:="0"}
@@ -269,9 +269,11 @@ zfs_filesystem_exists()
 
 zfs_snapshot_exists()
 {
-	zfs list -t snapshot "$1" 2>/dev/null | grep -q "$1" || return 1
-	echo "$1 snapshot exists"
-	return 0
+	if zfs list -t snapshot "$1" 2>/dev/null | grep -q "$1"; then
+		echo "$1 snapshot exists"
+		return
+	fi
+	false
 }
 
 zfs_mountpoint_exists()
@@ -480,21 +482,24 @@ get_safe_jail_path()
 
 add_jail_conf_d()
 {
+	_safe_path="/etc/jail.conf.d/$(safe_jailname $1).conf"
 	if [ -f "/etc/jail.conf.d/$1.conf" ]; then
-		tell_status "preserving jail config /etc/jail.conf.d/$1.conf"
+		tell_status "preserving jail config $_safe_path"
 		return
 	fi
 
-	tell_status "creating /etc/jail.conf.d/$1.conf"
-	echo "$(jail_conf_header)
+	tell_status "creating $_safe_path"
+	tee "$_safe_path" <<EO_JAIL_RC
+$(jail_conf_header)
 
-$1	{$(get_safe_jail_path $1)
-		mount.fstab = \"$ZFS_DATA_MNT/$1/etc/fstab\";
+$(safe_jailname $1)	{$(get_safe_jail_path $1)
+		mount.fstab = "$ZFS_DATA_MNT/$1/etc/fstab";
 		ip4.addr = $JAIL_NET_INTERFACE|${_jail_ip};
 		ip6.addr = $JAIL_NET_INTERFACE|$(get_jail_ip6 $1);${JAIL_CONF_EXTRA}
-		exec.created = \"$ZFS_DATA_MNT/$1/etc/pf.conf.d/pfrule.sh load\";
-		exec.poststop = \"$ZFS_DATA_MNT/$1/etc/pf.conf.d/pfrule.sh unload\";
-	}" | tee -a /etc/jail.conf.d/$1.conf
+		exec.created = "$ZFS_DATA_MNT/$1/etc/pf.conf.d/pfrule.sh load";
+		exec.poststop = "$ZFS_DATA_MNT/$1/etc/pf.conf.d/pfrule.sh unload";
+	}
+EO_JAIL_RC
 }
 
 add_automount()
@@ -526,13 +531,18 @@ stop_jail()
 {
 	tell_status "stopping jail $1"
 	local _safe; _safe=$(safe_jailname "$1")
-	if jls -j $_safe -d 2>/dev/null | grep -q $_safe; then
+	if jail_is_running "$_safe"; then
 		echo "service jail stop $_safe"
-		service jail stop "$_safe"
+		if ! service jail stop "$_safe"; then
+			echo "jail -r $_safe"
+			if jail -r "$_safe" 2>/dev/null; then echo "removed"; fi
+		fi
 	fi
 
-	echo "jail -r $_safe"
-	jail -r "$_safe" 2>/dev/null
+	if jail_is_running "$_safe"; then
+		echo "jail -r $_safe"
+		if jail -r "$_safe" 2>/dev/null; then echo "removed"; fi
+	fi
 }
 
 stage_unmount()
@@ -570,8 +580,45 @@ install_pfrule()
 	if [ ! -d "$_dir" ]; then
 		mkdir -p "$_dir" || exit 1
 	fi
-	fetch -m -o "$_dir/pfrule.sh" "$TOASTER_SRC_URL/contrib/pfrule.sh" || exit 1
-	chmod 755 "$_dir/pfrule.sh" || exit 1
+
+	cat <<'EO_PF_RULE' > "$_dir/pfrule.sh"
+#!/bin/sh
+
+# pfrule.sh
+#
+# Matt Simerson, matt@tnpi.net, 2023-06
+#
+# Use pfctl to load and unload PF rules into named anchors from config
+# files. See https://github.com/msimerson/Mail-Toaster-6/wiki/PF
+
+_etcpath="$(dirname -- "$( readlink -f -- "$0"; )";)"
+
+usage() {
+    echo "   usage: $0 [ load | unload ]"
+    echo " "
+    exit 1
+}
+
+for _f in "$_etcpath"/*.conf; do
+    [ -f "$_f" ] || continue
+
+    _anchor=$(basename $_f .conf)  # nat, rdr, allow
+    _jailname=$(basename "$(dirname "$(dirname $_etcpath)")")
+    _pfctl="pfctl -a $_anchor/$_jailname"
+
+    case "$1" in
+        "load"   ) _cmd="$_pfctl -f $_f" ;;
+        "unload" ) _cmd="$_pfctl -F all" ;;
+        *        ) usage                 ;;
+    esac
+
+    echo "$_cmd"
+    $_cmd || exit 1
+done
+
+exit
+EO_PF_RULE
+	chmod 755 "$_dir/pfrule.sh"
 }
 
 install_fstab()
@@ -634,8 +681,10 @@ create_staged_fs()
 	fi
 
 	stage_sysrc hostname="$1"
-	sed -i '' -e "/^hostname=/ s/_HOSTNAME_/$1/" \
-		"$STAGE_MNT/usr/local/etc/ssmtp/ssmtp.conf" || exit 1
+	if [ -f "$STAGE_MNT/usr/local/etc/ssmtp/ssmtp.conf" ]; then
+		sed -i '' -e "/^hostname=/ s/_HOSTNAME_/$1/" \
+			"$STAGE_MNT/usr/local/etc/ssmtp/ssmtp.conf"
+	fi
 
 	assure_ip6_addr_is_declared "$1"
 	stage_resolv_conf
@@ -648,9 +697,8 @@ create_staged_fs()
 
 enable_bsd_cache()
 {
-	# see if jails are running
-	jls | grep -q bsd_cache || return;
-	jls | grep -q dns || return;
+	if ! jail_is_running bsd_cache; then return; fi
+	if ! jail_is_running dns; then return; fi
 
 	# assure services are available
 	sockstat -4 -6 -p 80 -q -j bsd_cache | grep -q . || return
@@ -691,13 +739,10 @@ EO_PKG_MT6
 
 start_staged_jail()
 {
-	local _name="$1"
-	local _path="$2"
+	local _name=${1:-"$SAFE_NAME"}
+	local _path=${2:-"$STAGE_MNT"}
 	local _fstab="$ZFS_DATA_MNT/$_name/etc/fstab.stage"
 
-	if [ -z "$_name" ]; then _name="$SAFE_NAME"; fi
-	if [ -z "$_path" ]; then _path="$STAGE_MNT"; fi
-
 	if [ "$_name" = "base" ]; then _fstab="$BASE_MNT/data/etc/fstab"; fi
 
 	tell_status "stage jail $_name startup"
@@ -714,8 +759,7 @@ start_staged_jail()
 		exec.stop="/bin/sh /etc/rc.shutdown" \
 		mount.fstab="$_fstab" \
 		devfs_ruleset=5 \
-		$JAIL_START_EXTRA \
-		|| exit
+		$JAIL_START_EXTRA
 
 	enable_bsd_cache
 
@@ -735,7 +779,7 @@ rename_staged_to_ready()
 	local _zfs_rename="zfs rename $ZFS_JAIL_VOL/stage $_new_vol"
 	echo "$_zfs_rename"
 	until $_zfs_rename; do
-		if [ "$_tries" -gt 10 ]; then
+		if [ "$_tries" -gt 5 ]; then
 			echo "trying to force rename"
 			_zfs_rename="zfs rename -f $ZFS_JAIL_VOL/stage $_new_vol"
 		fi
@@ -798,7 +842,8 @@ stage_clear_caches()
 
 stage_resolv_conf()
 {
-	jls | grep -q dns || return;
+	if ! jail_is_running dns; then return; fi
+
 	tell_status "configuring DNS for local recursor"
 	echo "nameserver $(get_jail_ip  dns)" >  "$STAGE_MNT/etc/resolv.conf"
 	echo "nameserver $(get_jail_ip6 dns)" >> "$STAGE_MNT/etc/resolv.conf"
@@ -894,11 +939,8 @@ stage_exec()
 stage_listening()
 {
 	echo "checking for port $1 listener in staged jail"
-	if [ -z "$2" ]; then
-		sockstat -l -4 -6 -p "$1" -j "$(jls -j stage jid)" | grep -v PROTO || exit
-		return
-	fi
 
+	local _max_tries=${2:-"1"}
 	local _tries=0
 	local _listening=""
 	local _sleep="$3"
@@ -907,7 +949,7 @@ stage_listening()
 	until [ -n "$_listening" ]; do
 		_tries=$((_tries + 1))
 
-		if [ "$_tries" -gt "$2" ]; then
+		if [ "$_tries" -gt "$_max_tries" ]; then
 			echo "port $1 is NOT listening"
 			exit
 		fi
@@ -917,7 +959,7 @@ stage_listening()
 	done
 
 	echo
-	echo "Success! Port $1 is listening in staging jail"
+	echo "Success! Port $1 is listening"
 }
 
 stage_test_running()
@@ -1208,6 +1250,11 @@ mt6-include()
 	. "include/$1.sh"
 }
 
+jail_is_running()
+{
+	jls -d -j $1 name 2>/dev/null | grep -q $1
+}
+
 jail_rename()
 {
 	if [ -z "$1" ] || [ -z "$2" ]; then
@@ -1272,7 +1319,7 @@ assure_ip6_addr_is_declared()
 	sed -i.bak \
 		-e "/^$1/,/ip4/ s/ip4.*;/&\\
 		ip6.addr = $JAIL_NET_INTERFACE|$(get_jail_ip6 "$1");/" \
-		/etc/jail.conf || exit
+		/etc/jail.conf
 }
 
 assure_jail()
@@ -1304,3 +1351,9 @@ preserve_file() {
 		fi
 	fi
 }
+
+onexit() { while caller $((n++)); do :; done; }
+
+if [ "$TOASTER_BUILD_DEBUG" = "1" ]; then
+	trap onexit EXIT
+fi
\ No newline at end of file
diff --git a/provision/base.sh b/provision/base.sh
index 56727b72..8a4fb4f1 100755
--- a/provision/base.sh
+++ b/provision/base.sh
@@ -1,19 +1,18 @@
 #!/bin/sh
 
-. mail-toaster.sh || exit
+set -e
 
-ifconfig ${JAIL_NET_INTERFACE} 2>&1 | grep -q 'does not exist' && {
-	echo; echo "ERROR: did you run 'provision host' yet?"; echo;
-	exit 1
-}
+. mail-toaster.sh
 
 mt6-include shell
+mt6-include mta
+mt6-include editor
 
 create_base_filesystem()
 {
 	if [ -e "$BASE_MNT/dev/null" ]; then
 		echo "unmounting $BASE_MNT/dev"
-		umount "$BASE_MNT/dev" || exit
+		umount "$BASE_MNT/dev"
 	fi
 
 	if zfs_filesystem_exists "$BASE_VOL"; then
@@ -51,33 +50,7 @@ install_freebsd()
 		stage_fbsd_package base "$BASE_MNT"
 	fi
 
-	touch "$BASE_MNT/etc/fstab"
-}
-
-install_ssmtp()
-{
-	tell_status "installing ssmtp"
-	stage_pkg_install ssmtp || exit
-
-	tell_status "configuring ssmtp"
-	cp "$BASE_MNT/usr/local/etc/ssmtp/revaliases.sample" \
-	   "$BASE_MNT/usr/local/etc/ssmtp/revaliases" || exit
-
-	sed -e "/^root=/ s/postmaster/$TOASTER_ADMIN_EMAIL/" \
-		-e "/^mailhub=/ s/=mail/=$TOASTER_MSA/" \
-		-e "/^rewriteDomain=/ s/=\$/=$TOASTER_MAIL_DOMAIN/" \
-		-e '/^#FromLineOverride=YES/ s/#//' \
-		"$BASE_MNT/usr/local/etc/ssmtp/ssmtp.conf.sample" \
-		> "$BASE_MNT/usr/local/etc/ssmtp/ssmtp.conf" || exit
-
-	tee "$BASE_MNT/etc/mail/mailer.conf" <<EO_MAILER_CONF
-sendmail	/usr/local/sbin/ssmtp
-send-mail	/usr/local/sbin/ssmtp
-mailq		/usr/local/sbin/ssmtp
-newaliases	/usr/local/sbin/ssmtp
-hoststat	/usr/bin/true
-purgestat	/usr/bin/true
-EO_MAILER_CONF
+	configure_fstab
 }
 
 configure_syslog()
@@ -115,7 +88,7 @@ disable_root_password()
 	# prevent a nightly email notice about the empty root password
 	tell_status "disabling passwordless root account"
 	sed -i.bak -e 's/^root::/root:*:/' "$BASE_MNT/etc/master.passwd"
-	stage_exec pwd_mkdb /etc/master.passwd || exit
+	stage_exec pwd_mkdb /etc/master.passwd
 }
 
 disable_cron_jobs()
@@ -132,7 +105,7 @@ disable_cron_jobs()
 		-e '/^1.*adjkerntz/ s/^1/#1/'  \
 		-e '/^\*.*entropy/  s/^\*/#*/' \
 		-e '/^\*.*atrun/    s/^\*/#*/' \
-		"$BASE_MNT/etc/crontab" || exit
+		"$BASE_MNT/etc/crontab"
 
 	echo "done"
 }
@@ -145,7 +118,7 @@ enable_security_periodic()
 	fi
 
 	tell_status "setting up auto package security"
-	tee "$_daily/auto_security_upgrades" <<'EO_PKG_SECURITY'
+	cat <<'EO_PKG_SECURITY' > "$_daily/auto_security_upgrades"
 #!/bin/sh
 
 auto_remove="vim-console vim-lite"
@@ -191,10 +164,10 @@ configure_tls_dhparams()
 	if [ ! -f "$DHP" ]; then
 		# for upgrade compatibilty
 		tell_status "Generating a 2048 bit $DHP"
-		openssl dhparam -out "$DHP" 2048 || exit
+		openssl dhparam -out "$DHP" 2048
 	fi
 
-	cp "$DHP" "$BASE_MNT/etc/ssl/dhparam.pem" || exit
+	cp "$DHP" "$BASE_MNT/etc/ssl/dhparam.pem"
 }
 
 configure_make_conf() {
@@ -211,23 +184,29 @@ EO_MAKE_CONF
 }
 
 configure_fstab() {
-	if [ ! -d "$BASE_MNT/data/etc" ]; then
-		mkdir -p "$BASE_MNT/data/etc" || exit 1
+	local _sub_dir=${1:-""}
+	local _etc_path="$BASE_MNT/${_sub_dir}etc"
+	if [ ! -d "$_etc_path" ]; then
+		mkdir -p "$_etc_path"
 	fi
-	touch "$BASE_MNT/data/etc/fstab"
+
+	tee "$_etc_path/fstab" <<EO_FSTAB
+# Device                Mountpoint      FStype  Options         Dump    Pass#
+devfs                   $BASE_MNT/dev  devfs   rw              0       0
+EO_FSTAB
 }
 
 configure_base()
 {
 	if [ ! -d "$BASE_MNT/usr/ports" ]; then
-		mkdir "$BASE_MNT/usr/ports" || exit
+		mkdir "$BASE_MNT/usr/ports"
 	fi
 
 	tell_status "adding base jail resolv.conf"
-	cp /etc/resolv.conf "$BASE_MNT/etc" || exit
+	cp /etc/resolv.conf "$BASE_MNT/etc"
 
 	tell_status "setting base jail timezone (to hosts)"
-	cp /etc/localtime "$BASE_MNT/etc" || exit
+	cp /etc/localtime "$BASE_MNT/etc"
 
 	configure_make_conf
 
@@ -237,7 +216,6 @@ configure_base()
 		hostname=base \
 		cron_flags='$cron_flags -J 15' \
 		syslogd_flags="-s -cc" \
-		sendmail_enable=NONE \
 		update_motd=NO
 
 	configure_pkg_latest "$BASE_MNT"
@@ -248,7 +226,7 @@ configure_base()
 	configure_syslog
 	configure_bourne_shell "$BASE_MNT"
 	configure_csh_shell "$BASE_MNT"
-	configure_fstab
+	configure_fstab "data/"
 }
 
 install_periodic_conf()
@@ -325,27 +303,10 @@ monthly_show_badconfig="YES"
 EO_PERIODIC
 }
 
-install_vimrc()
-{
-	tell_status "installing a jail-wide vimrc"
-	local _vimdir="$BASE_MNT/usr/local/etc/vim"
-	if [ ! -d "$_vimdir" ]; then
-		mkdir -p "$_vimdir" || exit
-	fi
-
-	fetch -m -o "$_vimdir/vimrc" https://raw.githubusercontent.com/nandalopes/vim-for-server/main/vimrc
-	sed -i '' \
-		-e 's/^syntax on/" syntax on/' \
-		-e 's/^colorscheme/" colorscheme/' \
-		-e 's/^set number/" set number/' \
-		-e 's/^set relativenumber/" set relativenumber/' \
-		"$_vimdir/vimrc"
-}
-
 install_base()
 {
 	tell_status "installing packages desired in every jail"
-	stage_pkg_install pkg vim-tiny ca_root_nss || exit
+	stage_pkg_install $TOASTER_BASE_PKGS
 
 	stage_exec newaliases
 
@@ -356,29 +317,42 @@ install_base()
 		configure_zsh_shell "$BASE_MNT"
 	fi
 
-	install_ssmtp
+	configure_mta "$BASE_MNT"
 	disable_root_password
 	install_periodic_conf
-	install_vimrc
+	configure_editor "$BASE_MNT"
 
 	tell_status "updating packages in base jail"
 	stage_exec pkg upgrade -y
 }
 
+assure_jail_nic()
+{
+	tell_status "assure_jail_nic: $JAIL_NET_INTERFACE exists"
+
+	if ifconfig ${JAIL_NET_INTERFACE} 2>&1 | grep -q 'does not exist'; then
+		echo; echo "ERROR: did you run 'provision host' yet?"; echo;
+		exit 1
+	else
+		echo "ok"
+	fi
+}
+
+assure_jail_nic
 zfs_snapshot_exists "$BASE_SNAP" && exit 0
-jail -r stage 2>/dev/null
+stop_jail stage
 create_base_filesystem
 install_freebsd
 freebsd_update
 configure_base
-start_staged_jail base "$BASE_MNT" || exit
+start_staged_jail base "$BASE_MNT"
 install_base
 stop_jail stage
 if [ -e "$BASE_MNT/dev/null" ]; then umount "$BASE_MNT/dev"; fi
 rm -rf "$BASE_MNT/var/cache/pkg/*"
 rm -rf "$BASE_MNT/var/db/freebsd-update/*"
 echo "zfs snapshot ${BASE_SNAP}"
-zfs snapshot "${BASE_SNAP}" || exit
+zfs snapshot "${BASE_SNAP}"
 add_jail_conf base
 
 proclaim_success base
diff --git a/provision/clamav.sh b/provision/clamav.sh
index 18d5e387..b2c8d809 100755
--- a/provision/clamav.sh
+++ b/provision/clamav.sh
@@ -1,6 +1,8 @@
 #!/bin/sh
 
-. mail-toaster.sh || exit
+set -e
+
+. mail-toaster.sh
 
 install_clamav_fangfrisch()
 {
@@ -9,7 +11,7 @@ install_clamav_fangfrisch()
 	stage_pkg_install python sqlite3 py39-sqlite3 sudo
 	_fdir="/usr/local/fangfrisch"
 	stage_exec mkdir "$_fdir"
-	stage_exec bash -c 'cd /usr/local/fangfrisch && python3 -m venv venv && source venv/bin/activate && pip install fangfrisch' || exit 1
+	stage_exec bash -c 'cd /usr/local/fangfrisch && python3 -m venv venv && source venv/bin/activate && pip install fangfrisch'
 	stage_exec chown -R clamav:clamav $_fdir
 	store_config "${STAGE_MNT}${_fdir}/fangfrisch.conf" <<EO_FANG_CONF
 [DEFAULT]
@@ -40,8 +42,8 @@ customer_id = abcdef123456
 enabled = yes
 max_size = 2MB
 EO_FANG_CONF
-	stage_exec sudo -u clamav -- $_fdir/venv/bin/fangfrisch --conf $_fdir/fangfrisch.conf initdb || exit 1
-	stage_exec sudo -u clamav -- $_fdir/venv/bin/fangfrisch --conf $_fdir/fangfrisch.conf refresh || exit 1
+	stage_exec sudo -u clamav -- $_fdir/venv/bin/fangfrisch --conf $_fdir/fangfrisch.conf initdb
+	stage_exec sudo -u clamav -- $_fdir/venv/bin/fangfrisch --conf $_fdir/fangfrisch.conf refresh
 }
 
 install_clamav_unofficial()
@@ -72,19 +74,19 @@ install_clamav_unofficial()
 	stage_pkg_install gnupg1 rsync bind-tools gtar
 	fetch -m -o "$STAGE_MNT/tmp/" \
 	  "https://github.com/extremeshok/clamav-unofficial-sigs/archive/$CLAMAV_UV.tar.gz"
-	tar -xz -C "$STAGE_MNT/tmp/" -f "$STAGE_MNT/tmp/$CLAMAV_UV.tar.gz" || exit
+	tar -xz -C "$STAGE_MNT/tmp/" -f "$STAGE_MNT/tmp/$CLAMAV_UV.tar.gz"
 
 	local _dist="$STAGE_MNT/tmp/clamav-unofficial-sigs-$CLAMAV_UV"
 	local _conf="$STAGE_MNT/etc/clamav-unofficial-sigs"
 
 	tell_status "installing config files"
-	mkdir -p "$_conf" || exit
-	cp -r "$_dist/config/" "$_conf/" || exit
-	cp "$_conf/os/os.freebsd.conf" "$_conf/os.conf" || exit
+	mkdir -p "$_conf"
+	cp -r "$_dist/config/" "$_conf/"
+	cp "$_conf/os/os.freebsd.conf" "$_conf/os.conf"
 
 	if [ -f "$ZFS_JAIL_MNT/clamav/etc/clamav-unofficial-sigs/user.conf" ]; then
 		tell_status "preserving user.conf"
-		cp "$ZFS_JAIL_MNT/clamav/etc/clamav-unofficial-sigs/user.conf" "$_conf/" || exit
+		cp "$ZFS_JAIL_MNT/clamav/etc/clamav-unofficial-sigs/user.conf" "$_conf/"
 		echo "done"
 	else
 		tell_status "completing user configuration"
@@ -106,10 +108,10 @@ install_clamav_unofficial()
 	tell_status "installing clamav-unofficial-sigs.sh"
 	local _sigs_sh="$_dist/clamav-unofficial-sigs.sh"
 	sed -i.bak -e 's/^#!\/bin\/bash/#!\/usr\/local\/bin\/bash/' "$_sigs_sh"
-	chmod 755 "$_sigs_sh" || exit
-	cp "$_sigs_sh" "$STAGE_MNT/usr/local/bin" || exit
+	chmod 755 "$_sigs_sh"
+	cp "$_sigs_sh" "$STAGE_MNT/usr/local/bin"
 
-	mkdir -p "$STAGE_MNT/var/log/clamav-unofficial-sigs" || exit
+	mkdir -p "$STAGE_MNT/var/log/clamav-unofficial-sigs"
 	stage_exec /usr/local/bin/clamav-unofficial-sigs.sh --install-cron
 	stage_exec /usr/local/bin/clamav-unofficial-sigs.sh --install-logrotate
 	stage_exec /usr/local/bin/clamav-unofficial-sigs.sh --install-man
@@ -166,7 +168,7 @@ PATH="$PATH:/usr/local/bin"|' \
 
 install_clamav()
 {
-	stage_pkg_install clamav || exit
+	stage_pkg_install clamav
 	echo "done"
 
 	for _d in etc db log; do
@@ -209,7 +211,7 @@ configure_clamd()
 		-e 's/^#StructuredMinSSNCount 5/StructuredMinSSNCount 10/' \
 		-e 's/^#StructuredSSNFormatStripped yes/StructuredSSNFormatStripped no/' \
 		-e '/^#ScanArchive/ s/^#ScanArchive/ScanArchive/' \
-		"$_conf" || exit
+		"$_conf"
 
 	echo "done"
 
@@ -235,7 +237,7 @@ configure_freshclam()
 			-e 's/^#LogFacility/LogFacility/' \
 			-e 's/^#SafeBrowsing/SafeBrowsing/' \
 			-e 's/^#DatabaseMirror/DatabaseMirror/; s/XY/us/' \
-			"$_conf" || exit
+			"$_conf"
 	fi
 
 	echo "done"
@@ -282,10 +284,10 @@ migrate_clamav_dbs()
 
 	Proceed?
 	"
-	dialog --yesno "$_confirm_msg" 13 70 || exit
+	dialog --yesno "$_confirm_msg" 13 70
 
 	if [ ! -d "$ZFS_DATA_MNT/clamav/db" ]; then
-		mkdir "$ZFS_DATA_MNT/clamav/db" || exit 1
+		mkdir "$ZFS_DATA_MNT/clamav/db"
 	fi
 
 	service jail stop clamav
@@ -305,7 +307,7 @@ test_clamav()
 	echo "It works! (clamd is listening)"
 }
 
-base_snapshot_exists || exit
+base_snapshot_exists || exit 1
 migrate_clamav_dbs
 create_staged_fs clamav
 start_staged_jail clamav
diff --git a/provision/dcc.sh b/provision/dcc.sh
index b657440b..af7c1415 100755
--- a/provision/dcc.sh
+++ b/provision/dcc.sh
@@ -1,6 +1,8 @@
 #!/bin/sh
 
-. mail-toaster.sh || exit
+set -e
+
+. mail-toaster.sh
 
 export JAIL_START_EXTRA=""
 export JAIL_CONF_EXTRA=""
@@ -40,7 +42,7 @@ install_dcc()
 	install_dcc_port_options
 
 	tell_status "install dcc"
-	stage_port_install mail/dcc-dccd || exit
+	stage_port_install mail/dcc-dccd
 
 	install_dcc_cleanup
 }
@@ -53,6 +55,18 @@ configure_dcc()
 		-e '/^DCCM_REJECT_AT/ s/=.*/=MANY/' \
 		-e "/^DCCIFD_ARGS/ s/-SList-ID\"/-SList-ID -p*,1025,$JAIL_NET_PREFIX.0\/24\"/" \
 		"$STAGE_MNT/var/db/dcc/dcc_conf"
+
+	_pf_etc="$ZFS_DATA_MNT/dcc/etc/pf.conf.d"
+	store_config "$_pf_etc/allow.conf" <<EO_PF_ALLOW
+pass in quick proto udp from any port 6277 to $(get_jail_ip  dcc)
+pass in quick proto udp from any port 6277 to $(get_jail_ip6 dcc)
+EO_PF_ALLOW
+
+	store_config "$_pf_etc/rdr.conf" <<EO_PF_RDR
+rdr inet  proto tcp from any to <ext_ip4> port 6277 -> $(get_jail_ip  dcc)
+rdr inet6 proto tcp from any to <ext_ip6> port 6277 -> $(get_jail_ip6 dcc)
+EO_PF_RDR
+
 }
 
 start_dcc()
@@ -68,7 +82,7 @@ test_dcc()
 	stage_listening 1025 3
 }
 
-base_snapshot_exists || exit
+base_snapshot_exists || exit 1
 create_staged_fs dcc
 start_staged_jail dcc
 install_dcc
diff --git a/provision/dns.sh b/provision/dns.sh
index fd70f3eb..79de352c 100755
--- a/provision/dns.sh
+++ b/provision/dns.sh
@@ -1,6 +1,8 @@
 #!/bin/sh
 
-. mail-toaster.sh || exit
+set -e
+
+. mail-toaster.sh
 
 export JAIL_START_EXTRA=""
 export JAIL_CONF_EXTRA="
@@ -9,7 +11,7 @@ export JAIL_CONF_EXTRA="
 install_unbound()
 {
 	tell_status "installing unbound"
-	stage_pkg_install unbound || exit
+	stage_pkg_install unbound
 }
 
 get_mt6_data()
@@ -97,7 +99,7 @@ include: "/data/mt6-local.conf" \
 		-e '/^remote-control:/ a\ 
 	include: "/data/control.conf" \
 ' \
-		"$UNBOUND_DIR/unbound.conf" || exit
+		"$UNBOUND_DIR/unbound.conf"
 }
 
 enable_control()
@@ -107,6 +109,10 @@ enable_control()
 		return
 	fi
 
+	tell_status "creating $ZFS_DATA_MNT/dns/control"
+	mkdir "$ZFS_DATA_MNT/dns/control"
+
+	tell_status "configuring unbound-control"
 	tee "$ZFS_DATA_MNT/dns/control.conf" <<EO_CONTROL_CONF
 		control-enable: yes
 		control-interface: 0.0.0.0
@@ -131,10 +137,10 @@ configure_unbound()
 	UNBOUND_DIR="$STAGE_MNT/usr/local/etc/unbound"
 	UNBOUND_LOCAL=""
 
-	cp "$UNBOUND_DIR/unbound.conf.sample" "$UNBOUND_DIR/unbound.conf" || exit
+	cp "$UNBOUND_DIR/unbound.conf.sample" "$UNBOUND_DIR/unbound.conf"
 	if [ -f 'unbound.conf.local' ]; then
 		tell_status "moving unbound.conf.local to data volume"
-		mv unbound.conf.local "$ZFS_DATA_MNT/dns/" || exit
+		mv unbound.conf.local "$ZFS_DATA_MNT/dns/"
 	fi
 
 	if [ -f "$ZFS_DATA_MNT/dns/unbound.conf.local" ]; then
@@ -154,7 +160,7 @@ start_unbound()
 {
 	tell_status "starting unbound"
 	stage_sysrc unbound_enable=YES
-	stage_exec service unbound start || exit
+	stage_exec service unbound start
 }
 
 test_unbound()
@@ -166,7 +172,7 @@ test_unbound()
 	echo "nameserver $(get_jail_ip stage)" | tee "$STAGE_MNT/etc/resolv.conf"
 
 	# test if we get an answer
-	stage_exec host dns || exit
+	stage_exec host dns
 
 	# set it back to production value
 	echo "nameserver $(get_jail_ip dns)" | tee "$STAGE_MNT/etc/resolv.conf"
@@ -184,7 +190,7 @@ nameserver $(get_jail_ip6 dns)" | resolvconf -a "$PUBLIC_NIC"
 	sysrc -f /etc/resolvconf.conf resolvconf=NO
 }
 
-base_snapshot_exists || exit
+base_snapshot_exists || exit 1
 create_staged_fs dns
 start_staged_jail dns
 install_unbound
diff --git a/provision/dovecot.sh b/provision/dovecot.sh
index 1875ce7d..402d6dd4 100755
--- a/provision/dovecot.sh
+++ b/provision/dovecot.sh
@@ -1,7 +1,10 @@
 #!/bin/sh
 
-. mail-toaster.sh || exit
+set -e
 
+. mail-toaster.sh
+
+export JAIL_START_EXTRA="allow.sysvipc=1"
 export JAIL_FSTAB="$ZFS_DATA_MNT/vpopmail/home $ZFS_JAIL_MNT/dovecot/usr/local/vpopmail nullfs rw 0 0"
 
 mt6-include vpopmail
@@ -9,13 +12,13 @@ mt6-include vpopmail
 allow_sysvipc_stage()
 {
     tell_status "allow sysvipc for the staged jail"
-    jail -m name=stage allow.sysvipc=1 || exit 1
+    jail -m name=stage allow.sysvipc=1
 }
 
 install_dovecot()
 {
 	tell_status "installing dovecot package"
-	stage_pkg_install dovecot dovecot-pigeonhole curl perl5 gmake mysql80-client || exit
+	stage_pkg_install dovecot dovecot-pigeonhole curl perl5 gmake mysql80-client
 
 	tell_status "configure dovecot port options"
 	stage_make_conf dovecot2_SET 'mail_dovecot2_SET=MYSQL LIBWRAP EXAMPLES'
@@ -32,8 +35,8 @@ install_dovecot()
 	tell_status "building dovecot"
 
 	export BATCH=${BATCH:="1"}
-	stage_port_install mail/dovecot || exit 1
-	stage_port_install mail/dovecot-pigeonhole || exit 1
+	stage_port_install mail/dovecot
+	stage_port_install mail/dovecot-pigeonhole
 }
 
 configure_dovecot_local_conf() {
@@ -264,10 +267,10 @@ configure_example_config()
 	fi
 
 	tell_status "installing example config files"
-	cp -R "$STAGE_MNT/usr/local/etc/dovecot/example-config/" "$_dcdir/" || exit
+	cp -R "$STAGE_MNT/usr/local/etc/dovecot/example-config/" "$_dcdir/"
 	sed -i.bak \
 		-e 's/^#listen = \*, ::/listen = \*/' \
-		"$_dcdir/dovecot.conf" || exit
+		"$_dcdir/dovecot.conf"
 }
 
 configure_system_auth()
@@ -281,7 +284,7 @@ configure_system_auth()
 	tell_status "disabling auth-system"
 	sed -i.bak \
 		-e '/^\!include auth-system/ s/\!/#!/' \
-		"$_authconf" || exit
+		"$_authconf"
 }
 
 configure_vsz_limit()
@@ -319,13 +322,13 @@ configure_tls_certs()
 
 	local _ssldir="$ZFS_DATA_MNT/dovecot/etc/ssl"
 	if [ ! -d "$_ssldir/certs" ]; then
-		mkdir -p "$_ssldir/certs" || exit
-		chmod 644 "$_ssldir/certs" || exit
+		mkdir -p "$_ssldir/certs"
+		chmod 644 "$_ssldir/certs"
 	fi
 
 	if [ ! -d "$_ssldir/private" ]; then
-		mkdir "$_ssldir/private" || exit
-		chmod 644 "$_ssldir/private" || exit
+		mkdir "$_ssldir/private"
+		chmod 644 "$_ssldir/private"
 	fi
 
 	local _installed_crt="$_ssldir/certs/${TOASTER_MAIL_DOMAIN}.pem"
@@ -335,18 +338,18 @@ configure_tls_certs()
 	fi
 
 	tell_status "installing dovecot TLS certificates"
-	cp /etc/ssl/certs/server.crt "$_ssldir/certs/${TOASTER_MAIL_DOMAIN}.pem" || exit
+	cp /etc/ssl/certs/server.crt "$_ssldir/certs/${TOASTER_MAIL_DOMAIN}.pem"
 	# sunset after Dovecot 2.3 released
-	cat /etc/ssl/dhparam.pem >> "$_ssldir/certs/${TOASTER_MAIL_DOMAIN}.pem" || exit
+	cat /etc/ssl/dhparam.pem >> "$_ssldir/certs/${TOASTER_MAIL_DOMAIN}.pem"
 	# /sunset
-	cp /etc/ssl/private/server.key "$_ssldir/private/${TOASTER_MAIL_DOMAIN}.pem" || exit
+	cp /etc/ssl/private/server.key "$_ssldir/private/${TOASTER_MAIL_DOMAIN}.pem"
 }
 
 configure_postfix_with_sasl()
 {
 	# ignore this, it doesn't exist. Yet. Maybe not ever. It's one way to
 	# configure a MSA with dovecot auth.
-	stage_pkg_install postfix || exit
+	stage_pkg_install postfix
 
 	stage_exec postconf -e "relayhost = $TOASTER_MSA"
 	stage_exec postconf -e 'smtpd_sasl_type = dovecot'
@@ -358,10 +361,10 @@ configure_postfix_with_sasl()
 	stage_exec postconf -e 'smtp_tls_security_level = may'
 
 	for _s in 512 1024 2048; do
-		openssl dhparam -out /tmp/dh$_s.tmp $_s || exit
-		chmod 644 /tmp/dh${_s}.tmp || exit
-		mv /tmp/dh${_s}.tmp "$STAGE_MNT/usr/local/etc/postfix/dh${_s}.pem" || exit
-		stage_exec postconf -e "smtpd_tls_dh${_s}_param_file = \${config_directory}/dh${_s}.pem" || exit
+		openssl dhparam -out /tmp/dh$_s.tmp $_s
+		chmod 644 /tmp/dh${_s}.tmp
+		mv /tmp/dh${_s}.tmp "$STAGE_MNT/usr/local/etc/postfix/dh${_s}.pem"
+		stage_exec postconf -e "smtpd_tls_dh${_s}_param_file = \${config_directory}/dh${_s}.pem"
 	done
 
 	stage_sysrc postfix_enable="YES"
@@ -370,7 +373,7 @@ configure_postfix_with_sasl()
 
 compile_sieve()
 {
-	stage_exec /usr/local/bin/sievec -c /data/etc/dovecot.conf "/usr/local/lib/dovecot/sieve/$1" || exit
+	stage_exec /usr/local/bin/sievec -c /data/etc/dovecot.conf "/usr/local/lib/dovecot/sieve/$1"
 }
 
 configure_sieve_report_ham()
@@ -425,7 +428,7 @@ configure_sieve_learn_rspamd()
 	tee "$SIEVE_DIR/learn-ham-rspamd.sh" <<EO_RSPAM_LEARN_HAM
 exec /usr/local/bin/curl -s -S -XPOST --data-binary @- http://$(get_jail_ip rspamd):11334/learnham
 EO_RSPAM_LEARN_HAM
-	chmod +x "$SIEVE_DIR/learn-ham-rspamd.sh" || exit
+	chmod +x "$SIEVE_DIR/learn-ham-rspamd.sh"
 
 	if ! grep rspamd "$SIEVE_DIR/report-ham.sieve"; then
 		tell_status "enabling rspamd learning in report-ham.sieve"
@@ -439,7 +442,7 @@ EO_REPORT_HAM_RSPAMD
 	tee "$SIEVE_DIR/learn-spam-rspamd.sh" <<EO_RSPAM_LEARN_SPAM
 exec /usr/local/bin/curl -s -S -XPOST --data-binary @- http://$(get_jail_ip rspamd):11334/learnspam
 EO_RSPAM_LEARN_SPAM
-	chmod +x "$SIEVE_DIR/learn-spam-rspamd.sh" || exit
+	chmod +x "$SIEVE_DIR/learn-spam-rspamd.sh"
 
 	if ! grep rspamd "$SIEVE_DIR/report-spam.sieve"; then
 		tell_status "enabling rspamd learning in report-spam.sieve"
@@ -460,14 +463,14 @@ configure_sieve_learn_spamassassin()
 	if [ ! -x "$ZFS_DATA_MNT/dovecot/bin/spamc" ]; then
 		tell_status "copying spamc into /data/bin"
 		cp "$ZFS_JAIL_MNT/spamassassin/usr/local/bin/spamc" \
-			"$ZFS_DATA_MNT/dovecot/bin/spamc" || exit
+			"$ZFS_DATA_MNT/dovecot/bin/spamc"
 	fi
 
 	tell_status "creating learn-ham-sa.sh"
 	tee "$SIEVE_DIR/learn-ham-sa.sh" <<EO_RSPAM_LEARN_HAM
 exec /data/bin/spamc -d $(get_jail_ip spamassassin) --learntype=ham -u \${1}
 EO_RSPAM_LEARN_HAM
-	chmod +x "$SIEVE_DIR/learn-ham-sa.sh" || exit
+	chmod +x "$SIEVE_DIR/learn-ham-sa.sh"
 
 	if ! grep learn-ham-sa "$SIEVE_DIR/report-ham.sieve"; then
 		tell_status "enabling spamassassin learning in report-ham.sieve"
@@ -481,7 +484,7 @@ EO_REPORT_HAM_SA
 	tee "$SIEVE_DIR/learn-spam-sa.sh" <<EO_RSPAM_LEARN_SPAM
 exec /data/bin/spamc -d $(get_jail_ip spamassassin) --learntype=spam -u \${1}
 EO_RSPAM_LEARN_SPAM
-	chmod +x "$SIEVE_DIR/learn-spam-sa.sh" || exit
+	chmod +x "$SIEVE_DIR/learn-spam-sa.sh"
 
 	if ! grep learn-spam-sa "$SIEVE_DIR/report-spam.sieve"; then
 		tell_status "enabling spamassassin learning in report-spam.sieve"
@@ -496,7 +499,7 @@ configure_sieve()
 {
 	SIEVE_DIR="$STAGE_MNT/usr/local/lib/dovecot/sieve"
 	if [ ! -d "$SIEVE_DIR" ]; then
-		mkdir "$SIEVE_DIR" || exit
+		mkdir "$SIEVE_DIR"
 	fi
 
 	local _lc="$ZFS_DATA_MNT/dovecot/etc/local.conf"
@@ -547,7 +550,7 @@ configure_dovecot()
 		if [ ! -d "$_dcdir" ]; then
 			tell_status "creating $_dcdir"
 			echo "mkdir $_dcdir"
-			mkdir "$_dcdir" || exit
+			mkdir "$_dcdir"
 		fi
 	done
 
@@ -568,21 +571,18 @@ start_dovecot()
 	tell_status "starting dovecot"
 	stage_sysrc dovecot_enable=YES
 	stage_sysrc dovecot_config="/data/etc/dovecot.conf"
-	stage_exec service dovecot start || exit
+	stage_exec service dovecot start
 }
 
-test_imap()
+test_imap_empty()
 {
-	pkg install -y empty
+	pkg info | grep -q ^empty || pkg install -y empty
 
-	POST_USER="postmaster@${TOASTER_MAIL_DOMAIN}"
-	POST_PASS=$(jexec vpopmail /usr/local/vpopmail/bin/vuserinfo -C "${POST_USER}")
-	rm -f in out
-
-	echo "testing IMAP AUTH as $POST_USER"
+	if [ -f in ]; then rm -f in; fi
+	if [ -f out ]; then rm -f out; fi
 
 	# empty -v -f -i in -o out telnet "$(get_jail_ip stage)" 143
-	empty -v -f -i in -o out openssl s_client -quiet -crlf -connect "$(get_jail_ip stage):993"
+	empty -v -f -i in -o out openssl s_client -quiet -verify_quiet -crlf -connect "$(get_jail_ip stage):993"
 	if [ ! -e out ]; then exit; fi
 	empty -v -w -i out -o in "ready"             ". LOGIN $POST_USER $POST_PASS"$'\n'
 	empty -v -w -i out -o in "Logged in"         $'. LIST \"\" \"*\"\n'
@@ -601,13 +601,36 @@ test_imap()
 	fi
 }
 
-test_pop3()
+test_imap_openssl()
 {
-	pkg install -y empty
+	openssl s_client -quiet -verify_quiet -crlf -connect "$(get_jail_ip stage):993" <<EOF
+. login $POST_USER $POST_PASS
+. LIST "" "*"
+. SELECT INBOX
+. LOGOUT
+EOF
+}
 
-	POST_USER="postmaster@${TOASTER_MAIL_DOMAIN}"
-	POST_PASS=$(jexec vpopmail /usr/local/vpopmail/bin/vuserinfo -C "${POST_USER}")
-	rm -f in out
+test_imap_curl()
+{
+	# shellcheck disable=SC2001
+	curl -k -v --login-options 'AUTH=PLAIN' "imaps://$(echo $POST_USER | sed -e 's/@/%40/'):${POST_PASS}@dovecot/"
+}
+
+test_imap()
+{
+	echo "testing IMAP AUTH as $POST_USER"
+	test_imap_curl
+	# test_imap_openssl
+	# test_imap_empty
+}
+
+test_pop3_empty()
+{
+	pkg info | grep -q ^empty || pkg install -y empty
+
+	if [ -f in ]; then rm -f in; fi
+	if [ -f out ]; then rm -f out; fi
 
 	echo "testing POP3 AUTH as $POST_USER"
 
@@ -625,11 +648,21 @@ test_pop3()
 	fi
 }
 
+test_pop3()
+{
+	# shellcheck disable=SC2001
+	curl -k -v --login-options 'AUTH=PLAIN' "pop3s://$(echo $POST_USER | sed -e 's/@/%40/'):${POST_PASS}@stage/"
+}
+
 test_dovecot()
 {
 	tell_status "testing dovecot"
 	stage_listening 993 3
 	stage_listening 995 3
+
+	POST_USER="postmaster@${TOASTER_MAIL_DOMAIN}"
+	POST_PASS=$(jexec vpopmail /usr/local/vpopmail/bin/vuserinfo -C "${POST_USER}")
+
 	test_imap
 	test_pop3
 	echo "it worked"
diff --git a/provision/elasticsearch.sh b/provision/elasticsearch.sh
index e8b193e2..d8e25eed 100755
--- a/provision/elasticsearch.sh
+++ b/provision/elasticsearch.sh
@@ -1,22 +1,24 @@
 #!/bin/sh
 
-. mail-toaster.sh || exit
+set -e
+
+. mail-toaster.sh
 
 export JAIL_START_EXTRA="enforce_statfs=1"
 # shellcheck disable=2016
-export JAIL_CONF_EXTRA="
-		mount.fdescfs;
-		mount.procfs;
-		enforce_statfs = 1;"
+export JAIL_CONF_EXTRA="\n\t\tenforce_statfs = 1;"
+export JAIL_FSTAB="fdescfs $ZFS_JAIL_MNT/elasticsearch/dev/fd fdescfs rw 0 0
+proc     $ZFS_JAIL_MNT/elasticsearch/proc   procfs  rw 0 0"
 
 create_data_dirs()
 {
-	for dir in etc db log plugins run; do
-		if [ ! -d "$STAGE_MNT/data/${dir}" ]; then
-			tell_status "creating $STAGE_MNT/data/${dir}"
-			mkdir "$STAGE_MNT/data/${dir}"
-			chown 965:965 "$STAGE_MNT/data/${dir}"
+	for _dir in etc db log plugins run; do
+		local _sub_dir=$STAGE_MNT/data/${_dir}
+		if [ ! -d "$_sub_dir" ]; then
+			tell_status "creating $_sub_dir"
+			mkdir "$_sub_dir"
 		fi
+		chown 965:965 "$_sub_dir"
 	done
 }
 
@@ -41,7 +43,9 @@ install_elasticsearch6()
 	tell_status "installing kibana"
 	stage_pkg_install kibana6
 
-	mkdir "$STAGE_MNT/usr/local/www/kibana6/config"
+	if [ ! -d "$STAGE_MNT/usr/local/www/kibana6/config" ]; then
+		mkdir "$STAGE_MNT/usr/local/www/kibana6/config"
+	fi
 	touch "$STAGE_MNT/usr/local/www/kibana6/config/kibana.yml"
 	chown -R 80:80 "$STAGE_MNT/usr/local/www/kibana6"
 }
@@ -57,11 +61,11 @@ install_elasticsearch7()
 	tell_status "installing kibana"
 	stage_pkg_install kibana7
 
-	mkdir "$STAGE_MNT/usr/local/www/kibana7/config"
+	if [ ! -d "$STAGE_MNT/usr/local/www/kibana7/config" ]; then
+		mkdir "$STAGE_MNT/usr/local/www/kibana7/config"
+	fi
 	touch "$STAGE_MNT/usr/local/www/kibana7/config/kibana.yml"
 	chown -R 80:80 "$STAGE_MNT/usr/local/www/kibana7"
-
-	install_beats
 }
 
 install_elasticsearch8()
@@ -75,11 +79,11 @@ install_elasticsearch8()
 	tell_status "installing kibana"
 	stage_pkg_install kibana8
 
-	mkdir "$STAGE_MNT/usr/local/www/kibana8/config"
+	if [ ! -d "$STAGE_MNT/usr/local/www/kibana8/config" ]; then
+		mkdir "$STAGE_MNT/usr/local/www/kibana8/config"
+	fi
 	touch "$STAGE_MNT/usr/local/www/kibana8/config/kibana.yml"
 	chown -R 80:80 "$STAGE_MNT/usr/local/www/kibana8"
-
-	install_beats
 }
 
 install_elasticsearch()
@@ -93,14 +97,17 @@ install_elasticsearch()
 install_beats()
 {
 	stage_pkg_install beats8
-	local _xcfg="$STAGE_MNT/usr/local/etc/beats/metricbeat.modules.d/elasticsearch-xpack.yml"
 
+	local _xcfg="$STAGE_MNT/usr/local/etc/beats/metricbeat.modules.d/elasticsearch-xpack.yml"
 	cp "$STAGE_MNT/usr/local/share/examples/beats/metricbeat.modules.d/elasticsearch-xpack.yml.disabled" "$_xcfg"
 	sed -i '' \
-		-e '/hosts:/ s/localhost/172.16.15.27/' \
+		-e "/hosts:/ s/localhost/$(get_jail_ip elasticsearch)/" \
 		"$_xcfg"
 
-	stage_exec -c 'cd "$STAGE_MNT/usr/local/etc/beats" && metricbeat modules enable elasticsearch-xpack'
+	if ! stage_exec -c 'cd /usr/local/etc/beats && metricbeat modules enable elasticsearch-xpack'; then
+		echo "KNOWN ERROR: see https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=272701"
+		return
+	fi
 	stage_sysrc metricbeat_enable=YES
 }
 
@@ -116,7 +123,7 @@ configure_elasticsearch()
 	local _conf="$STAGE_MNT/usr/local/etc/elasticsearch/elasticsearch.yml"
 	mkdir -p "$STAGE_MNT/data/etc"
 	echo "cp $_conf $_data_conf"
-	cp "$_conf" "$_data_conf" || exit
+	cp "$_conf" "$_data_conf"
 	chown 965 "$_data_conf"
 
 	if [ ! -f "$STAGE_MNT/data/etc/jvm.options" ]; then
@@ -133,6 +140,12 @@ configure_elasticsearch()
 		chown 965 "$STAGE_MNT/data/etc/log4j2.properties"
 	fi
 
+	sed -i.bak \
+		-e "/^#network.host:/ s/#//; s/192.168.0.1/$(get_jail_ip stage)/" \
+		-e '/^#node.name/ s/^#//; s/node-1/stage/' \
+		-e '/^#cluster.initial/ s/^#//; s/node-1/stage/; s/, "node-2"//' \
+			"$_conf"
+
 	sed -i.bak \
 		-e "/^#network.host:/ s/#//; s/192.168.0.1/$(get_jail_ip elasticsearch)/" \
 		-e '/^path.data: / s/var/data/' \
@@ -152,53 +165,63 @@ configure_kibana()
 {
 	tell_status "configuring kibana"
 
-	stage_sysrc kibana_syslog_output_flags=YES
+	stage_sysrc kibana_syslog_output_enable=YES
 
 	if [ -f "$STAGE_MNT/data/etc/kibana.yml" ]; then
 		tell_status "preserving kibana.yml"
 		return
 	fi
 
+	chown 80:80 "$STAGE_MNT/usr/local/etc/kibana/kibana.yml"
+
 	tell_status "installing default kibana.yml"
+	sed -i '' \
+		-e 's/^#server.basePath: ""/server.basePath: "\/kibana"/' \
+		"$STAGE_MNT/usr/local/etc/kibana/kibana.yml"
+
 	cp "$STAGE_MNT/usr/local/etc/kibana/kibana.yml" "$STAGE_MNT/data/etc/"
 
-	sed -i '' \
-		-e '/^#server.basePath/ s/^#//; s/""/"\/kibana"/' \
-		"$STAGE_MNT/data/etc/kibana.yml" || exit
+	stage_sysrc kibana_enable=YES
 }
 
 start_elasticsearch()
 {
 	tell_status "configuring Elasticsearch"
 	stage_sysrc elasticsearch_enable=YES
-	stage_sysrc elasticsearch_config=/data/etc
 
-	if jls | grep -qs elasticsearch; then
-		# bad things happen if two ES instances access the data dir
-		# so don't actually start it
-		tell_status "NOT starting Elasticsearch"
-	else
-		tell_status "starting Elasticsearch"
-		stage_exec service elasticsearch start
-	fi
+	tell_status "starting Elasticsearch"
+	stage_exec service elasticsearch start
+
+	tell_status "generating a Kibana setup token"
+	echo
+	export ES_JAVA_HOME=/usr/local/openjdk17
+	stage_exec /usr/local/lib/elasticsearch/bin/elasticsearch-create-enrollment-token --scope kibana
+	echo
 
 	tell_status "starting Kibana"
-	stage_sysrc kibana_enable=YES
-	stage_sysrc kibana_config=/data/etc/kibana.yml
+	stage_exec service kibana start
+	stage_exec bash -c "cd /usr/local/www/kibana8 && su -m www -c /usr/local/www/kibana8/bin/kibana"
 	stage_exec service kibana start
 }
 
 test_elasticsearch()
 {
 	tell_status "testing Elasticsearch (listening 9200)"
-	#stage_listening 9200 10 3
+	stage_listening 9200 10 3
 
 	tell_status "testing Kibana (listening 5601)"
-	echo "kibana has initial setup to do, it make take a while..."
+	echo "kibana has initial setup to do, it takes a few..."
 	stage_listening 5601 30 5
 }
 
-base_snapshot_exists || exit
+post_configure()
+{
+	tell_status "switching configuration to /data"
+	stage_sysrc elasticsearch_config=/data/etc
+	stage_sysrc kibana_config=/data/etc/kibana.yml
+}
+
+base_snapshot_exists
 create_staged_fs elasticsearch
 start_staged_jail elasticsearch
 install_elasticsearch
@@ -206,4 +229,6 @@ configure_elasticsearch
 configure_kibana
 start_elasticsearch
 test_elasticsearch
+install_beats
+post_configure
 promote_staged_jail elasticsearch
diff --git a/provision/geoip.sh b/provision/geoip.sh
index 488edf26..fc5b1cd4 100755
--- a/provision/geoip.sh
+++ b/provision/geoip.sh
@@ -1,6 +1,8 @@
 #!/bin/sh
 
-. mail-toaster.sh || exit
+set -e
+
+. mail-toaster.sh
 
 preflight_check() {
 	if [ -z "$MAXMIND_LICENSE_KEY" ]; then
@@ -12,16 +14,14 @@ preflight_check() {
 install_geoip_geoipupdate()
 {
 	tell_status "install geoipupdate"
-	stage_pkg_install geoipupdate || exit
+	stage_pkg_install geoipupdate
 }
 
 install_geoip_mm_mirror()
 {
 	tell_status "install maxmind-geolite-mirror"
-	stage_pkg_install npm-node20 || exit
-	stage_exec npm set user 0
-	stage_exec npm set -g unsafe-perm true
-	stage_exec npm install -g maxmind-geolite-mirror || exit
+	stage_pkg_install npm-node20
+	stage_exec npm install -g maxmind-geolite-mirror
 }
 
 install_geoip()
@@ -94,7 +94,7 @@ test_geoip()
 	echo "testing geoip..."
 	stage_exec ls /data/db/
 
-	test -f "$STAGE_MNT/data/db/GeoLite2-Country.mmdb" || exit
+	test -f "$STAGE_MNT/data/db/GeoLite2-Country.mmdb"
 	echo "it worked"
 }
 
@@ -119,7 +119,7 @@ migrate_geoip_dbs()
 
 	Proceed?
 	"
-	dialog --yesno "$_confirm_msg" 19 70 || exit
+	dialog --yesno "$_confirm_msg" 19 70 || return
 
 	service jail stop geoip spamassassin haraka
 
@@ -136,7 +136,7 @@ migrate_geoip_dbs()
 }
 
 preflight_check
-base_snapshot_exists || exit
+base_snapshot_exists || exit 1
 migrate_geoip_dbs
 create_staged_fs geoip
 start_staged_jail geoip
diff --git a/provision/haproxy.sh b/provision/haproxy.sh
index d4dff0f5..8e1fe904 100755
--- a/provision/haproxy.sh
+++ b/provision/haproxy.sh
@@ -1,6 +1,8 @@
 #!/bin/sh
 
-. mail-toaster.sh || exit
+set -e
+
+. mail-toaster.sh
 
 install_haproxy()
 {
@@ -17,23 +19,23 @@ install_haproxy()
 install_haproxy_pkg()
 {
 	tell_status "installing haproxy"
-	stage_pkg_install haproxy || exit 1
+	stage_pkg_install haproxy
 }
 
 install_haproxy_openssl()
 {
 	tell_status "compiling haproxy against openssl $TLS_LIBRARY"
 	echo "DEFAULT_VERSIONS+=ssl=$TLS_LIBRARY" >> "$STAGE_MNT/etc/make.conf"
-	stage_pkg_install pcre gmake "$TLS_LIBRARY" || exit 1
-	stage_port_install net/haproxy || exit 1
+	stage_pkg_install pcre gmake "$TLS_LIBRARY"
+	stage_port_install net/haproxy
 }
 
 install_haproxy_libressl()
 {
 	tell_status "compiling haproxy against libressl"
 	echo 'DEFAULT_VERSIONS+=ssl=libressl' >> "$STAGE_MNT/etc/make.conf"
-	stage_pkg_install pcre gmake libressl || exit 1
-	stage_port_install net/haproxy || exit 1
+	stage_pkg_install pcre gmake libressl
+	stage_port_install net/haproxy
 }
 
 configure_haproxy_dot_conf()
@@ -293,17 +295,17 @@ configure_haproxy_tls()
 	if [ ! -f "$STAGE_MNT/etc/ssl/private/server.pem" ]; then
 		tell_status "concatenating TLS key and crt to PEM"
 		cat /etc/ssl/private/server.key /etc/ssl/certs/server.crt \
-			> "$STAGE_MNT/etc/ssl/private/server.pem" || exit 1
+			> "$STAGE_MNT/etc/ssl/private/server.pem"
 	fi
 
 	if [ ! -d "$ZFS_DATA_MNT/haproxy/ssl" ]; then
 		tell_status "creating /data/ssl"
-		mkdir -p "$ZFS_DATA_MNT/haproxy/ssl" || exit 1
+		mkdir -p "$ZFS_DATA_MNT/haproxy/ssl"
 	fi
 
 	if [ ! -d "$ZFS_DATA_MNT/haproxy/ssl.d" ]; then
 		tell_status "creating /data/ssl.d"
-		mkdir -p "$ZFS_DATA_MNT/haproxy/ssl.d" || exit 1
+		mkdir -p "$ZFS_DATA_MNT/haproxy/ssl.d"
 	fi
 
 	if [ ! -d "$STAGE_MNT/usr/local/etc/periodic/daily" ]; then
@@ -316,7 +318,7 @@ configure_haproxy()
 {
 	if [ ! -d "$ZFS_DATA_MNT/haproxy/etc" ]; then
 		tell_status "creating /data/etc"
-		mkdir -p "$ZFS_DATA_MNT/haproxy/etc" || exit
+		mkdir -p "$ZFS_DATA_MNT/haproxy/etc"
 	fi
 
 	configure_haproxy_dot_conf
@@ -336,6 +338,11 @@ configure_haproxy()
 	store_config "$_pf_etc/rdr.conf" <<EO_PF
 rdr inet  proto tcp from any to <ext_ip4> port { 80 443 } -> $(get_jail_ip  haproxy)
 rdr inet6 proto tcp from any to <ext_ip6> port { 80 443 } -> $(get_jail_ip6 haproxy)
+EO_PF
+
+	store_config "$_pf_etc/allow.conf" <<EO_PF
+pass in quick inet  proto tcp from any to <ext_ip4> port { 80 443 }
+pass in quick inet6 proto tcp from any to <ext_ip6> port { 80 443 }
 EO_PF
 
 	configure_haproxy_tls
diff --git a/provision/haraka.sh b/provision/haraka.sh
index 3c873e04..7ad9af8e 100755
--- a/provision/haraka.sh
+++ b/provision/haraka.sh
@@ -1,6 +1,8 @@
 #!/bin/sh
 
-. mail-toaster.sh || exit
+set -e
+
+. mail-toaster.sh
 
 export JAIL_START_EXTRA="devfs_ruleset=7"
 export JAIL_CONF_EXTRA="
@@ -12,27 +14,27 @@ HARAKA_CONF="$ZFS_DATA_MNT/haraka/config"
 install_haraka()
 {
 	tell_status "installing node & npm"
-	stage_pkg_install npm-node18 gmake pkgconf git-lite || exit
+	stage_pkg_install npm-node18 gmake pkgconf git-tiny
 	if [ "$BOURNE_SHELL" != "bash" ]; then
 		tell_status "Install bash since not in base"
-		stage_pkg_install bash || exit
+		stage_pkg_install bash
 	fi
 	# export PYTHON=/usr/local/bin/python3
 	# stage_exec ln -s /usr/local/bin/python3 /usr/local/bin/python
-	# stage_exec npm install -g --omit=dev node-gyp || exit
+	# stage_exec npm install -g --omit=dev node-gyp
 
 	# Workaround for NPM bug https://github.com/npm/cli/issues/2610
 	stage_exec bash -c 'git config --global url."https://github.com/".insteadOf git@github.com:'
 	stage_exec bash -c 'git config --global url."https://".insteadOf git://'
 
 	tell_status "installing Haraka"
-	stage_exec bash -c "npm install -g --omit=dev https://github.com/haraka/Haraka.git" || exit
+	stage_exec bash -c "npm install -g --omit=dev https://github.com/haraka/Haraka.git"
 
 	local _plugins="ws express"
 	for _p in log-reader dmarc-perl; do
 		_plugins="$_plugins haraka-plugin-$_p"
 	done
-	stage_exec rm /data/package.json
+	stage_exec bash -c "if [ -f /data/package.json ]; then rm /data/package.json; fi"
 	stage_exec bash -c "cd /data && npm install --omit=dev $_plugins"
 }
 
@@ -76,12 +78,12 @@ install_p0f()
 	tell_status "installing p0f startup file"
 	mkdir -p "$STAGE_MNT/usr/local/etc/rc.d"
 	local _start="$STAGE_MNT/usr/local/etc/rc.d/p0f"
-	cp "$STAGE_MNT/usr/local/lib/node_modules/Haraka/node_modules/haraka-plugin-p0f/contrib/bsd-rc.d/p0f" "$_start" || exit
-	chmod 755 "$_start" || exit
+	cp "$STAGE_MNT/usr/local/lib/node_modules/Haraka/node_modules/haraka-plugin-p0f/contrib/bsd-rc.d/p0f" "$_start"
+	chmod 755 "$_start"
 
 	get_public_facing_nic
 	if [ "$PUBLIC_NIC" != "bce1" ]; then
-		sed -i '' -e "s/ bce1 / $PUBLIC_NIC /" "$_start" || exit
+		sed -i '' -e "s/ bce1 / $PUBLIC_NIC /" "$_start"
 	fi
 
 	stage_sysrc p0f_enable=YES
@@ -219,7 +221,7 @@ relay_reject_threshold=7
 
 configure_haraka_avg()
 {
-	mkdir -p "$STAGE_MNT/data/avg/spool" || exit
+	mkdir -p "$STAGE_MNT/data/avg/spool"
 
 	tell_status "configuring Haraka avg plugin"
 	if ! grep -qs ^host "$HARAKA_CONF/avg.ini"; then
@@ -345,7 +347,7 @@ configure_haraka_rspamd()
 		tell_status "configure Haraka rspamd plugin"
 		echo "host = $(get_jail_ip rspamd)
 add_headers = always
-" | tee -a "$HARAKA_CONF/rspamd.ini" || exit
+" | tee -a "$HARAKA_CONF/rspamd.ini"
 	fi
 
 	if ! grep -qs ^rspamd "$HARAKA_CONF/plugins"; then
@@ -353,7 +355,7 @@ add_headers = always
 		# shellcheck disable=1004
 		sed -i '' -e '/spamassassin$/a\
 rspamd
-' "$HARAKA_CONF/plugins" || exit
+' "$HARAKA_CONF/plugins"
 	fi
 }
 
@@ -361,7 +363,7 @@ configure_haraka_watch()
 {
 	if ! grep -qs ^watch "$HARAKA_CONF/plugins"; then
 		tell_status "enabling watch plugin"
-		echo 'watch' >> "$HARAKA_CONF/plugins" || exit
+		echo 'watch' >> "$HARAKA_CONF/plugins"
 	fi
 
 	if [ ! -f "$HARAKA_CONF/watch.ini" ]; then
@@ -381,7 +383,7 @@ configure_haraka_smtp_ini()
 		-e 's/^;daemonize=true/daemonize=true/' \
 		-e 's/^;daemon_pid_file/daemon_pid_file/' \
 		-e 's/^;daemon_log_file/daemon_log_file/' \
-		"$HARAKA_CONF/smtp.ini" || exit
+		"$HARAKA_CONF/smtp.ini"
 }
 
 configure_haraka_plugins()
@@ -459,7 +461,7 @@ configure_haraka_dkim()
 
 	if [ ! -d "$HARAKA_CONF/dkim/$TOASTER_MAIL_DOMAIN" ]; then
 		tell_status "generating DKIM keys"
-		cd "$HARAKA_CONF/dkim" || exit
+		cd "$HARAKA_CONF/dkim"
 		sh dkim_key_gen.sh "$TOASTER_MAIL_DOMAIN"
 		cat "$HARAKA_CONF/dkim/$TOASTER_MAIL_DOMAIN/dns"
 
@@ -597,7 +599,7 @@ configure_haraka_log_rotation()
 	enable_newsyslog
 
 	tell_status "configuring haraka.log rotation"
-	mkdir -p "$STAGE_MNT/etc/newsyslog.conf.d" || exit
+	mkdir -p "$STAGE_MNT/etc/newsyslog.conf.d"
 	tee -a "$STAGE_MNT/etc/newsyslog.conf.d/haraka.log" <<EO_HARAKA
 /var/log/haraka.log			644  7	   *	@T00  JC
 EO_HARAKA
@@ -647,7 +649,7 @@ EO_SPF_RELAY
 configure_haraka()
 {
 	tell_status "installing Haraka, stage 2"
-	stage_exec haraka -i /data || exit
+	stage_exec haraka -i /data
 
 	tell_status "configuring Haraka"
 	echo 'LOGINFO' > "$HARAKA_CONF/loglevel"
@@ -724,10 +726,10 @@ start_haraka()
 	sysrc -f "$STAGE_MNT/etc/rc.conf" haraka_flags='-c /data'
 
 	if [ ! -d "$HARAKA_CONF/queue" ]; then
-		mkdir -p "$HARAKA_CONF/queue" || exit
+		mkdir -p "$HARAKA_CONF/queue"
 	fi
 
-	stage_exec service haraka start || exit
+	stage_exec service haraka start
 }
 
 test_haraka()
@@ -737,7 +739,7 @@ test_haraka()
 }
 
 preinstall_checks() {
-	base_snapshot_exists || exit
+	base_snapshot_exists || exit 1
 
 	if ! zfs_filesystem_exists "$ZFS_DATA_VOL/redis"; then
 		tell_status "FATAL: redis jail required but not provisioned."
diff --git a/provision/host.sh b/provision/host.sh
index d96fd151..a2f0bd33 100755
--- a/provision/host.sh
+++ b/provision/host.sh
@@ -1,11 +1,14 @@
 #!/bin/sh
 
-. mail-toaster.sh || exit
+set -e
+
+. mail-toaster.sh
 
 export JAIL_START_EXTRA=""
 export JAIL_CONF_EXTRA=""
 
 mt6-include shell
+mt6-include mta
 
 configure_ntp()
 {
@@ -34,7 +37,7 @@ configure_ntpd()
 	fi
 
 	tell_status "enabling NTPd"
-	sysrc ntpd_enable=YES || exit
+	sysrc ntpd_enable=YES
 	sysrc ntpd_sync_on_start=YES
 	/etc/rc.d/ntpd restart
 }
@@ -58,18 +61,6 @@ update_syslogd()
 	service syslogd restart
 }
 
-update_sendmail()
-{
-	if grep -q ^sendmail_enable /etc/rc.conf; then
-		tell_status "preserving sendmail config"
-		return
-	fi
-
-	tell_status "disable sendmail network listening"
-	sysrc sendmail_enable=NO
-	service sendmail onestop
-}
-
 install_periodic_conf()
 {
 	store_config /etc/periodic.conf <<EO_PERIODIC
@@ -165,14 +156,17 @@ constrain_sshd_to_host()
 		sysrc sshd_flags+=" \-o ListenAddress=$PUBLIC_IP6"
 	fi
 
-	service sshd configtest || exit 1
+	service sshd configtest
 	service sshd restart
 }
 
 sshd_reorder()
 {
 	_file="/usr/local/etc/rc.d/sshd_reorder"
-	if [ -x "$_file" ]; then return; fi
+	if [ -x "$_file" ]; then
+		tell_status "preserving sshd_reorder"
+		return
+	fi
 
 	tell_status "starting sshd earlier"
 	tee "$_file" <<EO_SSHD_REORDER
@@ -266,7 +260,7 @@ configure_dhparams()
 	fi
 
 	tell_status "Generating a 2048 bit dhparams file"
-	openssl dhparam -out "$DHP" 2048 || exit
+	openssl dhparam -out "$DHP" 2048
 }
 
 install_sshguard()
@@ -293,7 +287,7 @@ install_sshguard()
 check_timezone()
 {
 	if [ ! -e "/etc/localtime" ]; then
-		tzsetup || exit
+		tzsetup
 	fi
 }
 
@@ -302,8 +296,7 @@ check_global_listeners()
 	tell_status "checking for host listeners on all IPs"
 
 	if sockstat -L -4 | grep -E '\*:[0-9]' | grep -v 123; then
-		echo "oops!, you should not having anything listening
-on all your IP addresses!"
+		echo "oops!, you should not having anything listening on all your IP addresses!"
 		if [ -t 0 ]; then exit 2; fi
 
 		echo "Not interactive, continuing anyway."
@@ -355,14 +348,14 @@ block in quick inet6 proto tcp from <sshguard> to any port { 22 }
 anchor "allow/*"
 EO_PF_RULES
 
-	kldstat -q -m pf || kldload pf || exit 1
+	kldstat -q -m pf || kldload pf
 
 	grep -q ^pf_enable /etc/rc.conf || sysrc pf_enable=YES
 	if ! /etc/rc.d/pf status | grep -q Enabled; then
-		/etc/rc.d/pf start || exit 1
+		/etc/rc.d/pf start
 	fi
 
-	pfctl -f /etc/pf.conf || exit 1
+	pfctl -f /etc/pf.conf
 }
 
 install_jailmanage()
@@ -458,12 +451,12 @@ update_ports_tree()
 		cd - || return
 	else
 		tell_status "updating FreeBSD ports tree (portsnap)"
-		portsnap fetch || exit
+		portsnap fetch
 
 		if [ -d /usr/ports/mail/vpopmail ]; then
-			portsnap update || portsnap extract || exit
+			portsnap update || portsnap extract
 		else
-			portsnap extract || exit
+			portsnap extract
 		fi
 	fi
 }
@@ -484,7 +477,7 @@ update_freebsd()
 	freebsd-update fetch install
 
 	tell_status "updating FreeBSD pkg collection"
-	pkg update || exit
+	pkg update
 
 	if ! pkg info -e ca_root_nss; then
 		tell_status "install CA root certs, so https URLs work"
@@ -506,14 +499,12 @@ plumb_jail_nic()
 
 	if ! grep -q cloned_interfaces /etc/rc.conf; then
 		tell_status "plumb lo1 interface at startup"
-		sysrc cloned_interfaces+=lo1 || exit
+		sysrc cloned_interfaces+=lo1
 	fi
 
-	local _missing;
-	_missing=$(ifconfig lo1 2>&1 | grep 'does not exist')
-	if [ -n "$_missing" ]; then
+	if ifconfig lo1 2>&1 | grep -q 'does not exist'; then
 		tell_status "plumb lo1 interface"
-		ifconfig lo1 create || exit
+		ifconfig lo1 create
 	fi
 }
 
@@ -521,14 +512,12 @@ assign_syslog_ip()
 {
 	if ! grep -q ifconfig_lo1 /etc/rc.conf; then
 		tell_status "adding syslog IP to lo1"
-		sysrc ifconfig_lo1="$JAIL_NET_PREFIX.1 netmask 255.255.255.0" || exit
+		sysrc ifconfig_lo1="$JAIL_NET_PREFIX.1 netmask 255.255.255.0"
 	fi
 
-	local _present
-	_present=$(ifconfig lo1 2>&1 | grep "$JAIL_NET_PREFIX.1 ")
-	if [ -z "$_present" ]; then
+	if ! ifconfig lo1 2>&1 | grep -q "$JAIL_NET_PREFIX.1 "; then
 		echo "assigning $JAIL_NET_PREFIX.1 to lo1"
-		ifconfig lo1 "$JAIL_NET_PREFIX.1" netmask 255.255.255.0 || exit
+		ifconfig lo1 "$JAIL_NET_PREFIX.1" netmask 255.255.255.0
 	fi
 }
 
@@ -549,7 +538,7 @@ configure_etc_hosts()
 $(get_jail_ip "$_j")		$_j"
 	done
 
-	echo "$_hosts" | tee -a "/etc/hosts"
+	echo "$_hosts" >> "/etc/hosts"
 }
 
 update_host() {
@@ -557,7 +546,7 @@ update_host() {
 	update_freebsd
 	configure_pkg_latest ""
 	configure_ntp
-	update_sendmail
+	configure_mta
 	install_periodic_conf
 	constrain_sshd_to_host
 	sshd_reorder
diff --git a/provision/letsencrypt.sh b/provision/letsencrypt.sh
index 3c412ae5..c3142bbf 100755
--- a/provision/letsencrypt.sh
+++ b/provision/letsencrypt.sh
@@ -1,6 +1,8 @@
 #!/bin/sh
 
-. mail-toaster.sh || exit
+set -e
+
+. mail-toaster.sh
 
 install_letsencrypt()
 {
diff --git a/provision/mailtest.sh b/provision/mailtest.sh
index e7f9230d..acf290ee 100755
--- a/provision/mailtest.sh
+++ b/provision/mailtest.sh
@@ -1,6 +1,8 @@
 #!/bin/sh
 
-. mail-toaster.sh || exit
+set -e
+
+. mail-toaster.sh
 
 export JAIL_START_EXTRA=""
 export JAIL_CONF_EXTRA="
@@ -10,7 +12,7 @@ export JAIL_CONF_EXTRA="
 install_mailtest()
 {
 	tell_status "installing swaks"
-	stage_pkg_install swaks p5-Net-SSLeay || exit 1
+	stage_pkg_install swaks p5-Net-SSLeay
 }
 
 configure_mailtest()
@@ -34,11 +36,11 @@ test_mailtest()
 	_pass=$(jexec vpopmail /usr/local/vpopmail/bin/vuserinfo -C "$_email")
 
 	tell_status "sending an email to $_email"
-	stage_exec swaks -from "$_email" -to "$_email" -server "$_server" -timeout 50 || exit 1
+	stage_exec swaks -from "$_email" -to "$_email" -server "$_server" -timeout 50
 
 	tell_status "sending a TLS encrypted and authenticated email"
 	stage_exec swaks -from "$_email" -to "$_email" -server "$_server" -timeout 50 \
-		-tls -au "$_email" -ap "$_pass" || exit 1
+		-tls -au "$_email" -ap "$_pass"
 
 	echo "it worked"
 }
diff --git a/provision/mongodb.sh b/provision/mongodb.sh
index 23fe300b..1f227300 100755
--- a/provision/mongodb.sh
+++ b/provision/mongodb.sh
@@ -1,33 +1,43 @@
 #!/bin/sh
 
+set -e
+
 . mail-toaster.sh || exit
 
-export JAIL_START_EXTRA=""
+export JAIL_START_EXTRA="allow.sysvipc=1 allow.mlock=1"
 export JAIL_CONF_EXTRA="
+		allow.raw_sockets;
 		allow.sysvipc;
 		allow.mlock;"
 
 install_mongodb()
 {
+	if [ "$(uname -p)" = "amd64" ]; then
+		if ! grep Features /var/run/dmesg.boot | grep AVX; then
+			tell_status "WARNING: your CPU isn't supported by MongoDB 5+, installing 4.4"
+			stage_pkg_install mongodb44 mongodb-tools
+			return
+		fi
+	fi
+
 	tell_status "installing mongodb"
-	stage_pkg_install mongodb50 || exit
+	stage_pkg_install mongodb50 mongodb-tools
+}
 
-	#stage_pkg_install python scons-py37 boost-libs snappy pcre cyrus-sasl binutils gmp mongodb44 || exit 1
-	#stage_port_install databases/mongodb50 || exit 1
+install_mongodb_port()
+{
+	stage_pkg_install python scons-py37 boost-libs snappy pcre cyrus-sasl binutils gmp
+	stage_port_install databases/mongodb50
 }
 
 check_max_wired() {
 	local _fbsd_major; _fbsd_major=$(freebsd-version | cut -f1 -d'.')
-	if [ "$_fbsd_major" -gt "12" ]; then
-		return
-	fi
+	if [ "$_fbsd_major" -gt "12" ]; then return; fi
 
 	_count=$(sysctl -n vm.stats.vm.v_wire_count)
 	_wired=$(sysctl -n vm.max_wired)
 
-	if [ "$_count" -lt "$_wired" ]; then
-		return
-	fi
+	if [ "$_count" -lt "$_wired" ]; then return; fi
 
 	echo "increase vm.max_wired > $_count"
 	echo "sysctl vm.max_wired $((_count * 2))"
@@ -60,10 +70,6 @@ start_mongodb()
 {
 	tell_status "starting mongodb"
 	stage_sysrc mongod_enable=YES
-	stage_sysrc mongod_config=/data/etc/mongodb.conf
-	stage_sysrc mongod_dbpath=/data/db
-	stage_sysrc mongod_flags="--logpath /data/log/mongod.log --logappend"
-
 	stage_exec service mongod start
 }
 
@@ -71,10 +77,17 @@ test_mongodb()
 {
 	echo "testing mongodb"
 	sleep 1
-	stage_listening 27017
+	stage_listening 27017 3
 	echo "it worked"
 }
 
+post_install_config()
+{
+	stage_sysrc mongod_config=/data/etc/mongodb.conf
+	stage_sysrc mongod_dbpath=/data/db
+	stage_sysrc mongod_flags="--logpath /data/log/mongod.log --logappend"
+}
+
 base_snapshot_exists || exit
 create_staged_fs mongodb
 start_staged_jail mongodb
@@ -82,4 +95,5 @@ install_mongodb
 configure_mongodb
 start_mongodb
 test_mongodb
+post_install_config
 promote_staged_jail mongodb
diff --git a/provision/mysql.sh b/provision/mysql.sh
index e2628ac4..07524e88 100755
--- a/provision/mysql.sh
+++ b/provision/mysql.sh
@@ -1,13 +1,15 @@
 #!/bin/sh
 
-. mail-toaster.sh || exit
+set -e
+
+. mail-toaster.sh
 
 install_db_server()
 {
 	for _d in etc db; do
 		_path="$STAGE_MNT/data/$_d"
 		if [ ! -d "$_path" ]; then
-			mkdir "$_path" || exit 1
+			mkdir "$_path"
 			chown 88:88 "$_path"
 		fi
 	done
@@ -23,13 +25,13 @@ install_db_server()
 install_mysql()
 {
 	tell_status "installing mysql"
-	stage_pkg_install mysql80-server || exit 1
+	stage_pkg_install mysql80-server
 }
 
 install_mariadb()
 {
 	tell_status "installing mariadb"
-	stage_pkg_install mariadb1011-server || exit 1
+	stage_pkg_install mariadb1011-server
 }
 
 write_pass_to_conf()
@@ -37,7 +39,7 @@ write_pass_to_conf()
 	if grep -sq TOASTER_MYSQL_PASS mail-toaster.conf; then
 		sed -i '' \
 			-e "/^export TOASTER_MYSQL_PASS=/ s|=\"\"|=\"$TOASTER_MYSQL_PASS\"|" \
-			mail-toaster.conf || exit
+			mail-toaster.conf
 	else
 		echo "export TOASTER_MYSQL_PASS=\"$TOASTER_MYSQL_PASS\"" >> mail-toaster.conf
 	fi
@@ -80,7 +82,7 @@ configure_mysql_root_password()
 
 	echo 'SHOW DATABASES' | stage_exec mysql --password="$TOASTER_MYSQL_PASS" \
 		|| echo "ALTER USER 'root'@'localhost' IDENTIFIED BY '$TOASTER_MYSQL_PASS';" \
-			| stage_exec mysql -u root || exit 1
+			| stage_exec mysql -u root
 
 	write_pass_to_conf
 }
@@ -127,7 +129,7 @@ start_mysql()
 		unmount_data mysql
 	fi
 
-	stage_exec service mysql-server start || exit
+	stage_exec service mysql-server start
 	configure_mysql_root_password
 	configure_mysql_keys
 }
@@ -136,7 +138,7 @@ test_mysql()
 {
 	tell_status "testing mysql"
 	stage_listening 3306 2
-	echo 'SHOW DATABASES' | stage_exec mysql --password="$TOASTER_MYSQL_PASS" || exit 1
+	echo 'SHOW DATABASES' | stage_exec mysql --password="$TOASTER_MYSQL_PASS"
 	echo "it worked"
 }
 
@@ -177,7 +179,7 @@ else
 	exit
 fi
 
-base_snapshot_exists || exit
+base_snapshot_exists || exit 1
 migrate_mysql_dbs
 create_staged_fs mysql
 start_staged_jail mysql
diff --git a/provision/nagios.sh b/provision/nagios.sh
index 2b5c44d5..85ad66ec 100755
--- a/provision/nagios.sh
+++ b/provision/nagios.sh
@@ -3,7 +3,8 @@
 . mail-toaster.sh || exit
 
 export JAIL_START_EXTRA=""
-export JAIL_CONF_EXTRA=""
+export JAIL_CONF_EXTRA="
+		allow.raw_sockets;"
 
 mt6-include php
 mt6-include nginx
diff --git a/provision/nictool.sh b/provision/nictool.sh
index d43d1aff..7e91f524 100755
--- a/provision/nictool.sh
+++ b/provision/nictool.sh
@@ -29,7 +29,7 @@ install_nt_prereqs()
 
 install_nt_from_git()
 {
-	stage_pkg_install git-lite || exit
+	stage_pkg_install git-tiny || exit
 	cd "$STAGE_MNT/usr/local" || exit
 	stage_exec git clone --depth=1 https://github.com/msimerson/NicTool.git /usr/local/nictool || exit
 	stage_pkg_install p5-App-Cpanminus
diff --git a/provision/postfix.sh b/provision/postfix.sh
index 3f15baf1..f3c39575 100755
--- a/provision/postfix.sh
+++ b/provision/postfix.sh
@@ -80,15 +80,15 @@ configure_postfix()
 	if [ -f "$ZFS_JAIL_MNT/postfix/etc/aliases" ]; then
 		tell_status "preserving /etc/aliases"
 		cp "$ZFS_JAIL_MNT/postfix/etc/aliases" "$STAGE_MNT/etc/aliases"
-		stage_exec /usr/bin/newaliases
+		stage_exec /usr/local/bin/newaliases
 	elif [ -f "$ZFS_DATA_MNT/postfix/etc/aliases" ]; then
 		cp "$ZFS_DATA_MNT/postfix/etc/aliases" "$STAGE_MNT/etc/aliases"
-		stage_exec /usr/bin/newaliases
+		stage_exec /usr/local/bin/newaliases
 	fi
 
-	if [ ! -f "$ZFS_JAIL_MNT/usr/local/etc/mail/mailer.conf" ]; then
-		if [ ! -d "$ZFS_JAIL_MNT/usr/local/etc/mail" ]; then
-			mkdir "$ZFS_JAIL_MNT/usr/local/etc/mail" || exit 1
+	if [ ! -f "$STAGE_MNT/usr/local/etc/mail/mailer.conf" ]; then
+		if [ ! -d "$STAGE_MNT/usr/local/etc/mail" ]; then
+			mkdir -p "$STAGE_MNT/usr/local/etc/mail"
 		fi
 		stage_exec install -m 0644 /usr/local/share/postfix/mailer.conf.postfix /usr/local/etc/mail/mailer.conf
 	fi
diff --git a/provision/roundcube.sh b/provision/roundcube.sh
index 85f85c90..33cf8667 100755
--- a/provision/roundcube.sh
+++ b/provision/roundcube.sh
@@ -1,6 +1,8 @@
 #!/bin/sh
 
-. mail-toaster.sh || exit
+set -e
+
+. mail-toaster.sh
 
 export JAIL_START_EXTRA=""
 export JAIL_CONF_EXTRA=""
@@ -49,7 +51,7 @@ install_roundcube_mysql()
 	sed -i.bak \
 		-e "s/roundcube:pass@/roundcube:${_rcpass}@/" \
 		-e "s/@localhost\//@$(get_jail_ip mysql)\//" \
-		"$_rcc_dir/config.inc.php" || exit
+		"$_rcc_dir/config.inc.php"
 
 	if [ "$_init_db" = "1" ]; then
 		tell_status "configuring roundcube mysql permissions"
@@ -57,8 +59,8 @@ install_roundcube_mysql()
 		for _jail in roundcube stage; do
 			for _ip in $(get_jail_ip "$_jail") $(get_jail_ip6 "$_jail");
 			do
-				echo "CREATE USER IF NOT EXISTS 'roundcube'@'${_ip}' IDENTIFIED BY '${_rcpass}';" | mysql_query || exit 1
-				echo "GRANT ALL PRIVILEGES ON roundcubemail.* to 'roundcube'@'${_ip}';" | mysql_query || exit 1
+				echo "CREATE USER IF NOT EXISTS 'roundcube'@'${_ip}' IDENTIFIED BY '${_rcpass}';" | mysql_query
+				echo "GRANT ALL PRIVILEGES ON roundcubemail.* to 'roundcube'@'${_ip}';" | mysql_query
 			done
 		done
 
@@ -69,10 +71,10 @@ install_roundcube_mysql()
 roundcube_init_db()
 {
 	tell_status "initializing roundcube db"
-	pkg install -y curl || exit
+	pkg install -y curl
 	start_roundcube
 	curl -i --haproxy-protocol -F initdb='Initialize database' -XPOST \
-		"http://$(get_jail_ip stage)/installer/index.php?_step=3" || exit
+		"http://$(get_jail_ip stage)/installer/index.php?_step=3"
 }
 
 install_roundcube_plugins()
@@ -96,11 +98,11 @@ install_roundcube()
 		_php_modules="$_php_modules pdo_mysql"
 	fi
 
-	install_php $PHP_VER "$_php_modules" || exit
-	install_nginx || exit
+	install_php $PHP_VER "$_php_modules"
+	install_nginx
 
 	tell_status "installing roundcube"
-	stage_pkg_install roundcube-php${PHP_VER} || exit 1
+	stage_pkg_install roundcube-php${PHP_VER}
 
 	install_roundcube_plugins
 }
@@ -174,25 +176,25 @@ configure_roundcube_php()
 		-e "/^session.gc_maxlifetime/ s/= *[1-9][0-9]*/= 21600/" \
 		-e "/^post_max_size/ s/= *[1-9][0-9]*M/= ${ROUNDCUBE_ATTACHMENT_SIZE_MB}M/" \
 		-e "/^upload_max_filesize/ s/= *[1-9][0-9]*M/= ${ROUNDCUBE_ATTACHMENT_SIZE_MB}M/" \
-		"$STAGE_MNT/usr/local/etc/php.ini" || exit
+		"$STAGE_MNT/usr/local/etc/php.ini"
 }
 
 configure_roundcube_plugins()
 {
 	tell_status "configure the managesieve plugin"
 	cp "$STAGE_MNT/usr/local/www/roundcube/plugins/managesieve/config.inc.php.dist" \
-		"$STAGE_MNT/usr/local/www/roundcube/plugins/managesieve/config.inc.php" || exit 1
+		"$STAGE_MNT/usr/local/www/roundcube/plugins/managesieve/config.inc.php"
 	sed -i.bak \
 		-e "/'managesieve_host'/s/localhost/dovecot/" \
-		"$STAGE_MNT/usr/local/www/roundcube/plugins/managesieve/config.inc.php"  || exit 1
+		"$STAGE_MNT/usr/local/www/roundcube/plugins/managesieve/config.inc.php"
 
 	tell_status "configure the password plugin"
 	cp "$STAGE_MNT/usr/local/www/roundcube/plugins/password/config.inc.php.dist" \
-		"$STAGE_MNT/usr/local/www/roundcube/plugins/password/config.inc.php" || exit 1
+		"$STAGE_MNT/usr/local/www/roundcube/plugins/password/config.inc.php"
 	sed -i.bak \
 		-e "/'password_driver'/s/sql/vpopmaild/" \
 		-e "/'password_vpopmaild_host'/s/localhost/vpopmail/" \
-		"$STAGE_MNT/usr/local/www/roundcube/plugins/password/config.inc.php" || exit 1
+		"$STAGE_MNT/usr/local/www/roundcube/plugins/password/config.inc.php"
 }
 
 configure_roundcube()
@@ -211,7 +213,7 @@ configure_roundcube()
 	if [ -f "$_stage_cfg" ]; then return; fi
 
 	tell_status "installing default $_stage_cfg"
-	cp "$_stage_cfg.sample" "$_stage_cfg" || exit
+	cp "$_stage_cfg.sample" "$_stage_cfg"
 
 	tell_status "customizing $_stage_cfg"
 	local _dovecot_ip
@@ -232,7 +234,7 @@ configure_roundcube()
 		-e "/'smtp_pass'/    s/'';/'%p';/" \
 		-e "/'archive',/     s/,$/, 'managesieve',/" \
 		-e "/'product_name'/ s|'Roundcube Webmail'|'$ROUNDCUBE_PRODUCT_NAME'|" \
-		"$_stage_cfg" || exit
+		"$_stage_cfg"
 
 	tee -a "$_stage_cfg" <<'EO_RC_ADD'
 
@@ -257,7 +259,7 @@ EO_RC_ADD
 	else
 		sed -i.bak \
 			-e "/^\$config\['db_dsnw'/ s/= .*/= 'sqlite:\/\/\/\/data\/sqlite.db?mode=0646';/" \
-			"$_stage_cfg" || exit
+			"$_stage_cfg"
 
 		if [ ! -f "$ZFS_DATA_MNT/roundcube/sqlite.db" ]; then
 			mkdir -p "$STAGE_MNT/data"
diff --git a/provision/rsnapshot.sh b/provision/rsnapshot.sh
index 0c5ac022..b9adfacb 100755
--- a/provision/rsnapshot.sh
+++ b/provision/rsnapshot.sh
@@ -47,7 +47,7 @@ EO_RSNAP
 		if [ ! -d "$STAGE_MNT/root/.ssh" ]; then
 			umask 0077; mkdir "$STAGE_MNT/root/.ssh"; umask 0022;
 		fi
-		cp "$ZFS_DATA_MNT/rsnapshot/ssh/*" "$STAGE_MNT/root/.ssh" || exit 1
+		cp "$ZFS_DATA_MNT/rsnapshot/ssh/"* "$STAGE_MNT/root/.ssh/" || exit 1
 	fi
 }
 
diff --git a/provision/rspamd.sh b/provision/rspamd.sh
index 7ca8bcd6..4d88cce9 100755
--- a/provision/rspamd.sh
+++ b/provision/rspamd.sh
@@ -1,6 +1,8 @@
 #!/bin/sh
 
-. mail-toaster.sh || exit
+set -e
+
+. mail-toaster.sh
 
 export JAIL_START_EXTRA=""
 export JAIL_CONF_EXTRA=""
@@ -10,7 +12,7 @@ RSPAMD_ETC="$STAGE_MNT/usr/local/etc/rspamd"
 install_rspamd()
 {
 	tell_status "installing rspamd"
-	stage_pkg_install rspamd || exit
+	stage_pkg_install rspamd
 
 	if [ "$TOASTER_USE_TMPFS" = 1 ]; then
 		tee -a $STAGE_MNT/etc/rc.local <<'EO_RC_LOCAL'
@@ -212,7 +214,7 @@ test_rspamd()
 	echo "it worked"
 }
 
-base_snapshot_exists || exit
+base_snapshot_exists || exit 1
 create_staged_fs rspamd
 start_staged_jail rspamd
 install_rspamd
diff --git a/provision/snappymail.sh b/provision/snappymail.sh
index e08c9f9d..1d27ec98 100755
--- a/provision/snappymail.sh
+++ b/provision/snappymail.sh
@@ -1,6 +1,8 @@
 #!/bin/sh
 
-. mail-toaster.sh || exit
+set -e
+
+. mail-toaster.sh
 
 export JAIL_START_EXTRA=""
 export JAIL_CONF_EXTRA=""
@@ -27,13 +29,13 @@ install_snappymail()
 		stage_make_conf snappymail_UNSET 'mail_snappymail_UNSET=SQLITE3 PGSQL REDIS LDAP'
 	fi
 
-	install_php "$PHP_VER" "$_php_modules" || exit
-	install_nginx || exit
+	install_php "$PHP_VER" "$_php_modules"
+	install_nginx
 
 	tell_status "installing snappymail"
 	# stage_pkg_install snappymail-php$PHP_VER
 	stage_pkg_install gnupg
-	stage_port_install mail/snappymail || exit
+	stage_port_install mail/snappymail
 }
 
 configure_nginx_server()
@@ -87,7 +89,7 @@ install_default_json()
 	local _rlconfdir="$ZFS_DATA_MNT/snappymail/_data_/_default_"
 	if [ ! -d "$_rlconfdir/domains" ]; then
 		tell_status "creating default/domains dir"
-		mkdir -p "$_rlconfdir/domains" || exit
+		mkdir -p "$_rlconfdir/domains"
 	fi
 
 	local _djson="$_rlconfdir/domains/default.json"
diff --git a/provision/spamassassin.sh b/provision/spamassassin.sh
index 5ebe9db9..8e02d77f 100755
--- a/provision/spamassassin.sh
+++ b/provision/spamassassin.sh
@@ -1,6 +1,8 @@
 #!/bin/sh
 
-. mail-toaster.sh || exit
+set -e
+
+. mail-toaster.sh
 
 export JAIL_FSTAB="$ZFS_DATA_MNT/geoip/db $ZFS_JAIL_MNT/spamassassin/usr/local/share/GeoIP nullfs rw 0 0"
 
@@ -29,14 +31,14 @@ install_sought_rules() {
 	fi
 
 	tell_status "installing sought rules"
-	fetch -o - http://yerp.org/rules/GPG.KEY | stage_exec sa-update --import - || exit
-	stage_exec sa-update --gpgkey 6C6191E3 --channel sought.rules.yerp.org || exit
+	fetch -o - http://yerp.org/rules/GPG.KEY | stage_exec sa-update --import -
+	stage_exec sa-update --gpgkey 6C6191E3 --channel sought.rules.yerp.org
 }
 
 install_spamassassin_port()
 {
 	tell_status "install SpamAssassin from ports (w/opts)"
-	stage_pkg_install p5-Encode-Detect p5-Test-NoWarnings || exit
+	stage_pkg_install p5-Encode-Detect p5-Test-NoWarnings
 
 	local _SA_OPTS="DCC DKIM DOCS RAZOR SPF_QUERY GNUPG_NONE"
 	if [    "$TOASTER_MYSQL" = "1" ]; then _SA_OPTS="MYSQL $_SA_OPTS"; fi
@@ -56,7 +58,7 @@ install_spamassassin_port()
 	if [ -x "$STAGE_MNT/usr/local/bin/perl5.26.2" ]; then
 		stage_exec ln /usr/local/bin/perl5.26.2 /usr/local/bin/perl5.26.1
 	fi
-	stage_port_install mail/spamassassin || exit 1
+	stage_port_install mail/spamassassin
 }
 
 install_spamassassin_nrpe()
@@ -75,7 +77,7 @@ install_spamassassin_data_fs()
 	for _d in $ZFS_DATA_MNT/spamassassin/etc $ZFS_DATA_MNT/spamassassin/var $STAGE_MNT/usr/local/etc/mail; do
 		if [ ! -d "$_d" ]; then
 			tell_status "creating $_d"
-			mkdir "$_d" || exit
+			mkdir "$_d"
 		fi
 	done
 
@@ -85,7 +87,7 @@ install_spamassassin_data_fs()
 
 install_spamassassin_razor()
 {
-	stage_pkg_install razor-agents || exit
+	stage_pkg_install razor-agents
 
 	stage_exec razor-admin -home=/etc/razor -create -d
 	stage_exec razor-admin -home=/etc/razor -register -d
@@ -101,7 +103,7 @@ install_spamassassin_razor()
 
 	tell_status "setting up razor-agent log rotation"
 	if [ ! -d "$STAGE_MNT/etc/newsyslog.conf.d" ]; then
-		mkdir "$STAGE_MNT/etc/newsyslog.conf.d" || exit
+		mkdir "$STAGE_MNT/etc/newsyslog.conf.d"
 	fi
 
 	tee "$STAGE_MNT/etc/newsyslog.conf.d/razor-agent" <<EO_RAZOR
@@ -112,8 +114,8 @@ EO_RAZOR
 install_spamassassin()
 {
 	tell_status "install SpamAssassin optional dependencies"
-	stage_pkg_install p5-Mail-SPF p5-Mail-DKIM p5-Net-Patricia p5-libwww p5-GeoIP2 p5-Net-CIDR-Lite p5-IO-Socket-INET6 || exit
-	stage_pkg_install gnupg1 re2c libidn || exit
+	stage_pkg_install p5-Mail-SPF p5-Mail-DKIM p5-Net-Patricia p5-libwww p5-GeoIP2 p5-Net-CIDR-Lite p5-IO-Socket-INET6
+	stage_pkg_install gnupg1 re2c libidn
 	install_spamassassin_razor
 
 	if [ "$TOASTER_MYSQL" = "1" ]; then
@@ -271,22 +273,22 @@ configure_spamassassin_mysql()
     # user_awl_sql_table           awl
 EO_MYSQL_CONF
 
-	mysql_create_db spamassassin || exit
+	mysql_create_db spamassassin
 
 	# bayes_mysql
 	for _import_file in awl_mysql userpref_mysql;
 	do
 		local _f="$STAGE_MNT/usr/local/share/doc/spamassassin/sql/${_import_file}.sql"
 		# shellcheck disable=SC2002
-		cat "$_f" | sed -e 's/TYPE=MyISAM//' | mysql_query spamassassin || exit
+		cat "$_f" | sed -e 's/TYPE=MyISAM//' | mysql_query spamassassin
 	done
 
 	for _jail in spamassassin stage squirrelmail;
 	do
 		for _ip in $(get_jail_ip "$_jail") $(get_jail_ip6 "$_jail");
 		do
-			echo "CREATE USER IF NOT EXISTS 'spamassassin'@'$_ip' IDENTIFIED BY '$_my_pass'; FLUSH PRIVILEGES;" | mysql_query || exit 1
-			echo "GRANT ALL PRIVILEGES ON spamassassin.* to 'spamassassin'@'$_ip'" | mysql_query || exit 1
+			echo "CREATE USER IF NOT EXISTS 'spamassassin'@'$_ip' IDENTIFIED BY '$_my_pass'; FLUSH PRIVILEGES;" | mysql_query
+			echo "GRANT ALL PRIVILEGES ON spamassassin.* to 'spamassassin'@'$_ip'" | mysql_query
 		done
 	done
 }
@@ -314,7 +316,7 @@ test_spamassassin()
 	echo "it worked"
 }
 
-base_snapshot_exists || exit
+base_snapshot_exists || exit 1
 create_staged_fs spamassassin
 mkdir -p "$STAGE_MNT/usr/local/share/GeoIP"
 start_staged_jail spamassassin
diff --git a/provision/tinydns.sh b/provision/tinydns.sh
index de67b206..b1a27da1 100755
--- a/provision/tinydns.sh
+++ b/provision/tinydns.sh
@@ -1,79 +1,11 @@
 #!/bin/sh
 
 . mail-toaster.sh || exit
+. include/djb.sh || exit
 
 export JAIL_START_EXTRA=""
 export JAIL_CONF_EXTRA=""
-
-install_tinydns()
-{
-	tell_status "installing djbdns"
-	stage_pkg_install rsync daemontools || exit
-
-	if [ ! -d "$STAGE_MNT/data/home" ]; then
-		mkdir "$STAGE_MNT/data/home" || exit
-	fi
-	stage_exec pw useradd tinydns -d /data/home/tinydns -m
-
-	tell_status "installing ucspi-tcp with IPv6"
-	stage_make_conf sysutils_ucspi-tcp_SET 'sysutils_ucspi-tcp_SET=IPV6'
-	stage_port_install sysutils/ucspi-tcp || exit
-
-	tell_status "installing djbdns with IPv6"
-	stage_make_conf dns_djbdns_SET 'dns_djbdns_SET=IP6'
-	stage_port_install dns/djbdns || exit
-}
-
-configure_svscan()
-{
-	if [ ! -d "$STAGE_MNT/var/service" ]; then
-		tell_status "creating default service dir"
-		mkdir -p "$STAGE_MNT/var/service" || exit
-	fi
-
-	if [ ! -d "$STAGE_MNT/data/service" ]; then
-		tell_status "creating local service dir"
-		mkdir -p "$STAGE_MNT/data/service" || exit
-	fi
-}
-
-configure_tinydns4()
-{
-	tell_status "creating tinydns server"
-	stage_exec tinydns-conf tinydns bin /var/service/tinydns "$(get_jail_ip stage)"
-	store_config "$STAGE_MNT/var/service/tinydns/run" "overwrite" <<EO_TINYDNS_RUN
-#!/bin/sh
-
-# logging enabled
-#exec 2>&1
-
-# logging disabled
-exec 1>/dev/null 2>&1
-
-exec envuidgid tinydns envdir ./env softlimit -d300000 /usr/local/bin/tinydns
-EO_TINYDNS_RUN
-
-	echo "/data/root" > "$STAGE_MNT/var/service/tinydns/env/ROOT" || exit
-}
-
-configure_tinydns6()
-{
-	tell_status "creating tinydns IPv6 server"
-	stage_exec tinydns-conf tinydns bin /var/service/tinydns-v6 "$(get_jail_ip6 stage)"
-	store_config "$STAGE_MNT/var/service/tinydns-v6/run" "overwrite" <<EO_TINYDNS_RUN
-#!/bin/sh
-
-# logging enabled
-#exec 2>&1
-
-# logging disabled
-exec 1>/dev/null 2>&1
-
-exec envuidgid tinydns envdir ./env softlimit -d300000 /usr/local/bin/tinydns
-EO_TINYDNS_RUN
-
-	echo "/data/root" > "$STAGE_MNT/var/service/tinydns-v6/env/ROOT" || exit
-}
+export JAIL_FSTAB=""
 
 configure_tinydns()
 {
@@ -81,18 +13,20 @@ configure_tinydns()
 	configure_tinydns4
 	configure_tinydns_data
 	configure_tinydns6
+	stage_sysrc sshd_enable="YES"
 }
 
 configure_tinydns_data()
 {
-	if [ -d "$ZFS_DATA_MNT/tinydns/root" ]; then
+	_data_root="$ZFS_DATA_MNT/tinydns/root"
+	if [ -d "$_data_root" ]; then
 		tell_status "tinydns data already configured"
 		return
 	fi
 
 	tell_status "configuring tinydns data"
-	mv "$STAGE_MNT/var/service/tinydns/root" "$ZFS_DATA_MNT/tinydns/root"
-	tee -a "$ZFS_DATA_MNT/tinydns/root/data" <<EO_EXAMPLE
+	mv "$STAGE_MNT/var/service/tinydns/root" "$_data_root"
+	tee -a "$_data_root/data" <<EO_EXAMPLE
 .example.com:1.2.3.4:a:259200
 =www.example.com:1.2.3.5:86400
 EO_EXAMPLE
@@ -100,64 +34,6 @@ EO_EXAMPLE
 	stage_exec chown -R tinydns /data/root
 }
 
-configure_axfrdns()
-{
-	tell_status "creating axfrdns server"
-	stage_exec axfrdns-conf tinydns bin /var/service/axfrdns /data "$(get_jail_ip stage)"
-	store_config "$STAGE_MNT/var/service/axfrdns/run" "overwrite" <<'EO_AXFRDNS_RUN'
-#!/bin/sh
-
-# logging enabled
-#exec 2>&1
-
-# logging disabled
-exec 1>/dev/null 2>&1
-
-exec envdir ./env sh -c '
-	exec envuidgid tinydns softlimit -d300000 tcpserver -vDRHl0 -x tcp.cdb -- "$IP" 53 /usr/local/bin/axfrdns
-'
-EO_AXFRDNS_RUN
-
-	store_config "$STAGE_MNT/var/service/axfrdns/tcp" "overwrite" <<EOTCP
-:allow,AXFR=""
-:deny
-EOTCP
-	stage_exec make -C /var/service/axfrdns
-}
-
-configure_axfrdns6()
-{
-	tell_status "creating axfrdns IPv6 server"
-	stage_exec axfrdns-conf tinydns bin /var/service/axfrdns-v6 /data "$(get_jail_ip6 stage)"
-	store_config "$STAGE_MNT/var/service/axfrdns-v6/run" "overwrite" <<'EO_AXFRDNS_RUN'
-#!/bin/sh
-
-# logging enabled
-#exec 2>&1
-
-# logging disabled
-exec 1>/dev/null 2>&1
-
-exec envdir ./env sh -c '
-	exec envuidgid tinydns softlimit -d300000 tcpserver -vDRHl0 -x tcp.cdb -- "$IP" 53 /usr/local/bin/axfrdns
-'
-EO_AXFRDNS_RUN
-
-	store_config "$STAGE_MNT/var/service/axfrdns-v6/tcp" "overwrite" <<EOTCP6
-:allow,AXFR=""
-:deny
-EOTCP6
-	stage_exec make -C /var/service/axfrdns-v6
-}
-
-start_tinydns()
-{
-	tell_status "starting dns daemons"
-	stage_sysrc svscan_enable="YES"
-	stage_sysrc sshd_enable="YES"
-	stage_exec service svscan start || exit
-}
-
 test_tinydns()
 {
 	tell_status "testing tinydns"
@@ -184,7 +60,9 @@ test_tinydns()
 	stage_exec service svscan stop || exit
 	for d in tinydns axfrdns tinydns-v6 axfrdns-v6
 	do
-		if [ ! -d "$ZFS_DATA_MNT/tinydns/service/$d" ]; then
+		if [ -d "$ZFS_DATA_MNT/tinydns/service/$d" ]; then
+			tell_status "preserving $d service definition"
+		else
 			tell_status "moving $d from staging to production"
 			mv "$STAGE_MNT/var/service/$d" "$ZFS_DATA_MNT/tinydns/service/"
 		fi
@@ -195,9 +73,11 @@ test_tinydns()
 base_snapshot_exists || exit
 create_staged_fs tinydns
 start_staged_jail tinydns
-install_tinydns
+install_daemontools
+install_ucspi_tcp
+install_djbdns
 configure_tinydns
-configure_axfrdns
+configure_axfrdns4
 configure_axfrdns6
 start_tinydns
 test_tinydns
diff --git a/provision/unifi.sh b/provision/unifi.sh
index 16d412bc..e15f607a 100755
--- a/provision/unifi.sh
+++ b/provision/unifi.sh
@@ -2,19 +2,17 @@
 
 . mail-toaster.sh || exit
 
-export JAIL_CONF_EXTRA="
-                mount.fdescfs;
-                mount.procfs;"
-export JAIL_FSTAB="fdescfs /jails/unifi/dev/fd fdescfs rw 0 0
-proc     /jails/unifi/proc   procfs  rw 0 0"
+export JAIL_CONF_EXTRA=""
+export JAIL_FSTAB="fdescfs $ZFS_JAIL_MNT/unifi/dev/fd fdescfs rw 0 0
+proc     $ZFS_JAIL_MNT/unifi/proc   procfs  rw 0 0"
 
 install_unifi()
 {
 	tell_status "installing Unifi deps"
-	stage_pkg_install mongodb44 openjdk11 snappyjava gmake || exit
+	stage_pkg_install mongodb44 openjdk17 snappyjava gmake || exit
 
 	tell_status "installing Unifi"
-	stage_port_install net-mgmt/unifi7 || exit
+	stage_port_install net-mgmt/unifi8 || exit
 
 	tell_status "Enable UniFi"
 	stage_sysrc unifi_enable=YES
diff --git a/provision/vpopmail.sh b/provision/vpopmail.sh
index f84e4353..990c5a5d 100755
--- a/provision/vpopmail.sh
+++ b/provision/vpopmail.sh
@@ -1,6 +1,8 @@
 #!/bin/sh
 
-. mail-toaster.sh || exit
+set -e
+
+. mail-toaster.sh
 
 export VPOPMAIL_OPTIONS_SET=""
 export VPOPMAIL_OPTIONS_UNSET="ROAMING"
@@ -29,7 +31,7 @@ EO_MAILDROP_310
 	fi
 
 	export BATCH=${BATCH:="1"}
-	stage_port_install mail/maildrop || exit 1
+	stage_port_install mail/maildrop
 }
 
 install_maildrop()
@@ -39,15 +41,15 @@ install_maildrop()
 	install_maildrop_port
 
 	tell_status "installing maildrop filter file"
-	fetch -o "$STAGE_MNT/etc/mailfilter" "$TOASTER_SRC_URL/qmail/filter.txt" || exit 1
+	fetch -o "$STAGE_MNT/etc/mailfilter" "$TOASTER_SRC_URL/qmail/filter.txt"
 
 	tell_status "adding legacy mailfilter for MT5 compatibility"
-	mkdir -p "$STAGE_MNT/usr/local/etc/mail" || exit 1
-	cp "$STAGE_MNT/etc/mailfilter" "$STAGE_MNT/usr/local/etc/mail/" || exit 1
+	mkdir -p "$STAGE_MNT/usr/local/etc/mail"
+	cp "$STAGE_MNT/etc/mailfilter" "$STAGE_MNT/usr/local/etc/mail/"
 
 	tell_status "setting permissions on mailfilter files"
-	chown 89:89 "$STAGE_MNT/etc/mailfilter" "$STAGE_MNT/usr/local/etc/mail/mailfilter" || exit 1
-	chmod 600 "$STAGE_MNT/etc/mailfilter" "$STAGE_MNT/usr/local/etc/mail/mailfilter" || exit 1
+	chown 89:89 "$STAGE_MNT/etc/mailfilter" "$STAGE_MNT/usr/local/etc/mail/mailfilter"
+	chmod 600 "$STAGE_MNT/etc/mailfilter" "$STAGE_MNT/usr/local/etc/mail/mailfilter"
 }
 
 install_lighttpd()
@@ -120,8 +122,8 @@ mail_qmailadmin_UNSET=CATCHALL CRACKLIB IDX_SQL SPAM_DETECTION SPAM_NEEDS_EMAIL
 
 	export WEBDATADIR=www/data CGIBINDIR=www/cgi-bin CGIBINSUBDIR=qmailadmin SPAM_COMMAND="| /usr/local/bin/maildrop /usr/local/etc/mail/mailfilter"
 
-	stage_port_install devel/gmake || exit
-	stage_port_install mail/qmailadmin || exit
+	stage_port_install devel/autoconf
+	stage_port_install mail/qmailadmin
 
 	install_lighttpd
 }
@@ -132,7 +134,7 @@ install_vqadmin()
 
 	tell_status "installing vqadmin"
 	export WEBDATADIR=www/data CGIBINDIR=www/cgi-bin
-	stage_port_install mail/vqadmin || exit 1
+	stage_port_install mail/vqadmin
 	stage_exec ln /usr/local/www/cgi-bin/vqadmin/html/en-us /usr/local/www/cgi-bin/vqadmin/html/en-US
 }
 
@@ -177,17 +179,17 @@ install_vpopmail_mysql_grants()
 		-e "s/^localhost/$(get_jail_ip mysql)/" \
 		-e 's/root/vpopmail/' \
 		-e "s/secret/$_vpass/" \
-		"$_vpe" || exit
+		"$_vpe"
 
 	tell_status "setting up mysql user vpopmail"
 	for _jail in stage vpopmail dovecot sqwebmail; do
 		for _ip in $(get_jail_ip "$_jail") $(get_jail_ip6 "$_jail");
 		do
 			mysql_user_exists vpopmail $_ip \
-				|| echo "CREATE USER 'vpopmail'@'$_ip' IDENTIFIED BY '$_vpass'; FLUSH PRIVILEGES;" | mysql_query \
-				|| exit 1
+				|| echo "CREATE USER 'vpopmail'@'$_ip' IDENTIFIED BY '$_vpass'; FLUSH PRIVILEGES;" | mysql_query
+
 
-			echo "GRANT ALL PRIVILEGES ON vpopmail.* to 'vpopmail'@'$_ip'" | mysql_query || exit
+			echo "GRANT ALL PRIVILEGES ON vpopmail.* to 'vpopmail'@'$_ip'" | mysql_query
 		done
 	done
 }
@@ -220,9 +222,9 @@ install_quota_report()
 	_qr="$STAGE_MNT/usr/local/etc/periodic/daily/toaster-quota-report"
 
 	tell_status "installing quota_report"
-	mkdir -p "$STAGE_MNT/usr/local/etc/periodic/daily" || exit
-	fetch -o "$_qr" "$TOASTER_SRC_URL/qmail/toaster-quota-report" || exit
-	chmod 755 "$_qr" || exit
+	mkdir -p "$STAGE_MNT/usr/local/etc/periodic/daily"
+	fetch -o "$_qr" "$TOASTER_SRC_URL/qmail/toaster-quota-report"
+	chmod 755 "$_qr"
 
 	sed -i '' \
 		-e "/\$admin/ s/postmaster@example.com/$TOASTER_ADMIN_EMAIL/" \
@@ -245,10 +247,12 @@ install_vpopmail()
 	fi
 
 	tell_status "installing vpopmail package"
-	stage_pkg_install vpopmail || exit
+	stage_pkg_install vpopmail
+
+	stage_port_install devel/gmake
 
-	# install_vpopmail_port
-	install_vpopmail_source
+	install_vpopmail_port
+	#install_vpopmail_source
 	if [ "$TOASTER_MYSQL" = "1" ]; then
 		install_vpopmail_mysql_grants
 		install_vpopmail_mysql_aliastable
@@ -277,8 +281,9 @@ configure_vpopmail()
 	fetch -o - "$TOASTER_SRC_URL/qmail/run.sh" | stage_exec sh
 
 	if [ ! -d "$STAGE_MNT/usr/local/vpopmail/domains/$TOASTER_MAIL_DOMAIN" ]; then
-		tell_status "ATTN: Your postmaster password is..."
-		stage_exec /usr/local/vpopmail/bin/vadddomain -r14 "$TOASTER_MAIL_DOMAIN"
+		local _ppass; _ppass=$(openssl rand -base64 12)
+		tell_status "ATTN: Your postmaster password is: $_ppass"
+		stage_exec /usr/local/vpopmail/bin/vadddomain "$TOASTER_MAIL_DOMAIN" "$_ppass"
 	fi
 }
 
@@ -371,7 +376,7 @@ migrate_vpopmail_home()
 }
 
 migrate_vpopmail_home
-base_snapshot_exists || exit
+base_snapshot_exists || exit 1
 create_staged_fs vpopmail
 
 mkdir -p "$STAGE_MNT/usr/local/vpopmail" \
diff --git a/provision/webmail.sh b/provision/webmail.sh
index 43f62e85..d2623bd4 100755
--- a/provision/webmail.sh
+++ b/provision/webmail.sh
@@ -1,6 +1,8 @@
 #!/bin/sh
 
-. mail-toaster.sh || exit
+set -e
+
+. mail-toaster.sh
 
 export JAIL_START_EXTRA=""
 export JAIL_CONF_EXTRA=""
@@ -86,9 +88,9 @@ EO_LIGHTTPD_MT6
 install_webmail()
 {
 	if [ "$WEBMAIL_HTTPD" = "lighttpd" ]; then
-		install_lighttpd || exit
+		install_lighttpd
 	else
-		install_nginx || exit
+		install_nginx
 		configure_nginx_server
 	fi
 }
@@ -273,9 +275,9 @@ EO_INDEX
 configure_webmail()
 {
 	if [ "$WEBMAIL_HTTPD" = "lighttpd" ]; then
-		configure_lighttpd || exit
+		configure_lighttpd
 	else
-		configure_nginx webmail || exit
+		configure_nginx webmail
 		configure_nginx_server
 	fi
 
diff --git a/provision/wildduck.sh b/provision/wildduck.sh
index dc27ed69..e3e73e82 100755
--- a/provision/wildduck.sh
+++ b/provision/wildduck.sh
@@ -16,7 +16,7 @@ install_webmail()
 install_wildduck()
 {
 	tell_status "installing node.js"
-	stage_pkg_install npm-node16 git-lite || exit
+	stage_pkg_install npm-node16 git-tiny || exit
 
 	tell_status "installing wildduck"
 	stage_exec bash -c "cd /data && git clone https://github.com/nodemailer/wildduck.git" || exit 1
diff --git a/provision/zonemta.sh b/provision/zonemta.sh
index 86580e27..ec2346c2 100755
--- a/provision/zonemta.sh
+++ b/provision/zonemta.sh
@@ -22,7 +22,7 @@ install_zonemta_webadmin()
 install_zonemta()
 {
 	tell_status "installing node.js"
-	stage_pkg_install npm-node16 git-lite || exit
+	stage_pkg_install npm-node16 git-tiny || exit
 
 	tell_status "installing ZoneMTA"
 	stage_exec bash -c "cd /data && git clone https://github.com/zone-eu/zone-mta-template.git zone-mta"
diff --git a/test/vmware.sh b/test/vmware.sh
index 09af3363..a63a957a 100755
--- a/test/vmware.sh
+++ b/test/vmware.sh
@@ -67,7 +67,7 @@ cleanstart() {
 
 vm_setup() {
 	# install, no options, Auto ZFS, 8gb swap, sshd & powerd
-	pkg install -y vim-tiny sudo open-vm-tools-nox11 git-lite
+	pkg install -y vim-tiny sudo open-vm-tools-nox11 git-tiny
 	chpass -s sh root
 	echo 'autoboot_delay="1"' >> /boot/loader.conf
 

From 4ff50b150be13b5fb241315aa83e6511a2dc5a1b Mon Sep 17 00:00:00 2001
From: Matt Simerson <matt@tnpi.net>
Date: Tue, 19 Mar 2024 12:48:41 -0700
Subject: [PATCH 02/10] dovecot: test fix

---
 provision/dovecot.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/provision/dovecot.sh b/provision/dovecot.sh
index 402d6dd4..e09a1d06 100755
--- a/provision/dovecot.sh
+++ b/provision/dovecot.sh
@@ -614,7 +614,7 @@ EOF
 test_imap_curl()
 {
 	# shellcheck disable=SC2001
-	curl -k -v --login-options 'AUTH=PLAIN' "imaps://$(echo $POST_USER | sed -e 's/@/%40/'):${POST_PASS}@dovecot/"
+	curl -k -v --login-options 'AUTH=PLAIN' "imaps://$(echo $POST_USER | sed -e 's/@/%40/'):${POST_PASS}@stage/"
 }
 
 test_imap()

From 2ecd762b737a1f2ff25393c1a199514383330989 Mon Sep 17 00:00:00 2001
From: Matt Simerson <matt@tnpi.net>
Date: Tue, 19 Mar 2024 12:46:35 -0700
Subject: [PATCH 03/10] add bats tests

---
 .github/workflows/ci.yml | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 3a7579e7..c06c92f7 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -14,3 +14,14 @@ jobs:
       uses: ludeeus/action-shellcheck@master
       env:
         SHELLCHECK_OPTS: -s bash -e SC1004,SC1091,SC2009,SC2016,SC2039,SC2086,SC2119,SC2153
+
+  bats:
+    name: Bats
+    runs-on: ubuntu-latest
+    steps:
+    - name: checkout
+      uses: actions/checkout@v4
+    - name: Setup Bats
+      uses: bats-core/bats-action@1.5.4
+    - name: bats test
+      run: bats test
\ No newline at end of file

From 879f64f57d2bd23d74d9eb5ecfd4685139a29719 Mon Sep 17 00:00:00 2001
From: Matt Simerson <matt@tnpi.net>
Date: Tue, 19 Mar 2024 12:47:02 -0700
Subject: [PATCH 04/10] mta: check sendmail rc.conf b4 setting

---
 include/mta.sh | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/include/mta.sh b/include/mta.sh
index 44bed750..f702b8b0 100644
--- a/include/mta.sh
+++ b/include/mta.sh
@@ -21,7 +21,15 @@ configure_mta()
 
 enable_sendmail()
 {
-	sysrc -f "$_base/etc/rc.conf" sendmail_enable=YES sendmail_outbound_enable=YES
+	local _sysrc="sysrc -f $_base/etc/rc.conf"
+
+	if [ "$($_sysrc -n sendmail_enable)" != "YES" ]; then
+		$_sysrc sendmail_enable=YES
+	fi
+
+	if [ "$($_sysrc -n sendmail_outbound_enable)" != "YES" ]; then
+		$_sysrc sendmail_outbound_enable=YES
+	fi
 
 	if jail_is_running stage; then
 		stage_exec service sendmail start
@@ -42,7 +50,15 @@ disable_sendmail()
 		if pgrep -j none sendmail; then service sendmail onestop; fi
 	fi
 
-	sysrc -f "$_base/etc/rc.conf" sendmail_enable=NONE sendmail_outbound_enable=NONE
+	local _sysrc="sysrc -f $_base/etc/rc.conf"
+
+	if [ "$($_sysrc -n sendmail_enable)" != "NONE" ]; then
+		$_sysrc sendmail_enable=NONE
+	fi
+
+	if [ "$($_sysrc -n sendmail_outbound_enable)" != "NO" ]; then
+		$_sysrc sendmail_outbound_enable=NO
+	fi
 }
 
 set_root_alias()

From 7b8a896b3be0b9a66805591fedb0946e1d5c9bfa Mon Sep 17 00:00:00 2001
From: Matt Simerson <matt@tnpi.net>
Date: Tue, 19 Mar 2024 15:40:51 -0700
Subject: [PATCH 05/10] add bats tests

---
 .github/workflows/ci.yml      |  4 ++--
 .gitmodules                   |  9 +++++++++
 mail-toaster.sh               | 20 +++++++++++---------
 provision/spamassassin.sh     |  4 ++--
 test/bats                     |  1 +
 test/mail-toaster.bats        | 28 ++++++++++++++++++++++++++++
 test/test_helper/bats-assert  |  1 +
 test/test_helper/bats-support |  1 +
 8 files changed, 55 insertions(+), 13 deletions(-)
 create mode 100644 .gitmodules
 create mode 160000 test/bats
 create mode 100644 test/mail-toaster.bats
 create mode 160000 test/test_helper/bats-assert
 create mode 160000 test/test_helper/bats-support

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index c06c92f7..0f52d4fb 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -22,6 +22,6 @@ jobs:
     - name: checkout
       uses: actions/checkout@v4
     - name: Setup Bats
-      uses: bats-core/bats-action@1.5.4
+      run: git submodule update --init --recursive
     - name: bats test
-      run: bats test
\ No newline at end of file
+      run: ./test/bats/bin/bats test
\ No newline at end of file
diff --git a/.gitmodules b/.gitmodules
new file mode 100644
index 00000000..b7efcb44
--- /dev/null
+++ b/.gitmodules
@@ -0,0 +1,9 @@
+[submodule "test/bats"]
+	path = test/bats
+	url = https://github.com/bats-core/bats-core.git
+[submodule "test/test_helper/bats-support"]
+	path = test/test_helper/bats-support
+	url = https://github.com/bats-core/bats-support.git
+[submodule "test/test_helper/bats-assert"]
+	path = test/test_helper/bats-assert
+	url = https://github.com/bats-core/bats-assert.git
diff --git a/mail-toaster.sh b/mail-toaster.sh
index e8835dbc..046fa5d3 100755
--- a/mail-toaster.sh
+++ b/mail-toaster.sh
@@ -247,7 +247,7 @@ export BASE_MNT="$ZFS_JAIL_MNT/$BASE_NAME"
 
 export STAGE_MNT="$ZFS_JAIL_MNT/stage"
 
-fatal_err() { echo; echo "FATAL: $1"; echo; exit; }
+fatal_err() { echo; echo "FATAL: $1"; echo; exit 1; }
 
 safe_jailname()
 {
@@ -1113,7 +1113,7 @@ reverse_list()
 {
 	# shellcheck disable=2068
 	for _j in $@; do
-		_rev_list="${_j} ${_rev_list}"
+		local _rev_list="${_j} ${_rev_list}"
 	done
 	echo "$_rev_list"
 }
@@ -1332,18 +1332,20 @@ assure_jail()
 }
 
 preserve_file() {
-	# $1 is the jail name
-	# $2 is a path to a file within a jail
-	local _active_cfg="$ZFS_JAIL_MNT/$1/$2"
-	local _stage_cfg="${STAGE_MNT}/$2"
+	local _jail_name=$1
+	local _file_path=$2
+
+	local _active_cfg="$ZFS_JAIL_MNT/$_jail_name/$_file_path"
+	local _stage_cfg="${STAGE_MNT}/$_file_path"
+
 	if [ -f "$_active_cfg" ]; then
 		tell_status "preserving $_active_cfg"
 		cp "$_active_cfg" "$_stage_cfg" || return 1
 		return
 	fi
 
-	if [ -d "$ZFS_JAIL_MNT/$1.last" ]; then
-		_active_cfg="$ZFS_JAIL_MNT/$1.last/$2"
+	if [ -d "$ZFS_JAIL_MNT/$_jail_name.last" ]; then
+		_active_cfg="$ZFS_JAIL_MNT/$_jail_name.last/$_file_path"
 		if [ -f "$_active_cfg" ]; then
 			tell_status "preserving $_active_cfg"
 			cp "$_active_cfg" "$_stage_cfg" || return 1
@@ -1356,4 +1358,4 @@ onexit() { while caller $((n++)); do :; done; }
 
 if [ "$TOASTER_BUILD_DEBUG" = "1" ]; then
 	trap onexit EXIT
-fi
\ No newline at end of file
+fi
diff --git a/provision/spamassassin.sh b/provision/spamassassin.sh
index 8e02d77f..7e51fabd 100755
--- a/provision/spamassassin.sh
+++ b/provision/spamassassin.sh
@@ -40,12 +40,12 @@ install_spamassassin_port()
 	tell_status "install SpamAssassin from ports (w/opts)"
 	stage_pkg_install p5-Encode-Detect p5-Test-NoWarnings
 
-	local _SA_OPTS="DCC DKIM DOCS RAZOR SPF_QUERY GNUPG_NONE"
+	local _SA_OPTS="AS_ROOT DCC DKIM RAZOR SPF_QUERY GNUPG_NONE"
 	if [    "$TOASTER_MYSQL" = "1" ]; then _SA_OPTS="MYSQL $_SA_OPTS"; fi
 	if [ -n "$MAXMIND_LICENSE_KEY" ]; then _SA_OPTS="RELAY_COUNTRY $_SA_OPTS"; fi
 
 	stage_make_conf mail_spamassassin_SET "mail_spamassassin_SET=$_SA_OPTS"
-	stage_make_conf mail_spamassassin_UNSET 'mail_spamassassin_UNSET=SSL GNUPG GNUPG2 PYZOR PGSQL RLIMIT'
+	stage_make_conf mail_spamassassin_UNSET 'mail_spamassassin_UNSET=DOCS SSL GNUPG GNUPG2 PYZOR DMARC PGSQL RLIMIT'
 	stage_make_conf dcc-dccd_SET 'mail_dcc-dccd_SET=DCCIFD IPV6'
 	stage_make_conf dcc-dccd_UNSET 'mail_dcc-dccd_UNSET=DCCGREY DCCD DCCM PORTS_MILTER'
 	stage_make_conf LICENSES_ACCEPTED 'LICENSES_ACCEPTED=DCC'
diff --git a/test/bats b/test/bats
new file mode 160000
index 00000000..af6eb009
--- /dev/null
+++ b/test/bats
@@ -0,0 +1 @@
+Subproject commit af6eb009bdd3005f22224a73fb0e10f592f0bc88
diff --git a/test/mail-toaster.bats b/test/mail-toaster.bats
new file mode 100644
index 00000000..2cfe5946
--- /dev/null
+++ b/test/mail-toaster.bats
@@ -0,0 +1,28 @@
+# https://bats-core.readthedocs.io/en/stable/writing-tests.html
+
+setup() {
+  load 'test_helper/bats-support/load'
+  load 'test_helper/bats-assert/load'
+  load ../mail-toaster.sh
+}
+
+@test "mt6_version_check" {
+  run mt6_version_check
+  [ "$status" -eq 0 ]
+}
+
+@test "safe_jailname replaces . with _" {
+  run safe_jailname bad.chars
+  [ "$status" -eq 0 ]
+  [ "${lines[0]}" = "bad_chars" ]
+}
+
+@test "reverse_list" {
+  run reverse_list tic tac toe
+  assert_output --partial "toe tac tic"
+}
+
+@test "tell_status" {
+  run tell_status "BATS testing"
+  [ "$status" -eq 0 ]
+}
diff --git a/test/test_helper/bats-assert b/test/test_helper/bats-assert
new file mode 160000
index 00000000..e2d855bc
--- /dev/null
+++ b/test/test_helper/bats-assert
@@ -0,0 +1 @@
+Subproject commit e2d855bc78619ee15b0c702b5c30fb074101159f
diff --git a/test/test_helper/bats-support b/test/test_helper/bats-support
new file mode 160000
index 00000000..9bf10e87
--- /dev/null
+++ b/test/test_helper/bats-support
@@ -0,0 +1 @@
+Subproject commit 9bf10e876dd6b624fe44423f0b35e064225f7556

From 0785298787aff5ef1422dff084f4b13592ec8759 Mon Sep 17 00:00:00 2001
From: Matt Simerson <matt@tnpi.net>
Date: Tue, 19 Mar 2024 15:52:43 -0700
Subject: [PATCH 06/10] add vmactions/freebsd

---
 .github/workflows/ci.yml | 26 +++++++++++++++++++++++++-
 1 file changed, 25 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 0f52d4fb..8e377fe3 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -24,4 +24,28 @@ jobs:
     - name: Setup Bats
       run: git submodule update --init --recursive
     - name: bats test
-      run: ./test/bats/bin/bats test
\ No newline at end of file
+      run: ./test/bats/bin/bats test
+
+  freebsd:
+    runs-on: ubuntu-latest
+    name: A job to run test in FreeBSD
+    env:
+      MYTOKEN : ${{ secrets.MYTOKEN }}
+      MYTOKEN2: "value2"
+    steps:
+    - uses: actions/checkout@v4
+    - name: Test in FreeBSD
+      id: test
+      uses: vmactions/freebsd-vm@v1
+      with:
+        envs: 'MYTOKEN MYTOKEN2'
+        usesh: true
+        prepare: |
+          pkg install -y curl
+
+        run: |
+          pwd
+          ls -lah
+          whoami
+          env
+          freebsd-version
\ No newline at end of file

From 8fb3cff73882cddd91ac7968d91e597b93c7c50e Mon Sep 17 00:00:00 2001
From: Matt Simerson <matt@tnpi.net>
Date: Tue, 19 Mar 2024 16:00:30 -0700
Subject: [PATCH 07/10] skip freebsd

---
 .github/workflows/ci.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 8e377fe3..0ad064d2 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -27,8 +27,9 @@ jobs:
       run: ./test/bats/bin/bats test
 
   freebsd:
+    if: false
     runs-on: ubuntu-latest
-    name: A job to run test in FreeBSD
+    name: FreeBSD
     env:
       MYTOKEN : ${{ secrets.MYTOKEN }}
       MYTOKEN2: "value2"

From e185b13748d0b68d80666946a5aaa7aa531dfba6 Mon Sep 17 00:00:00 2001
From: Matt Simerson <matt@tnpi.net>
Date: Tue, 19 Mar 2024 16:35:19 -0700
Subject: [PATCH 08/10] a few more bats tests

---
 include/djb.sh             |  2 ++
 include/editor.sh          |  0
 include/mta.sh             |  0
 include/mysql.sh           |  0
 include/nginx.sh           |  0
 include/php.sh             |  0
 include/shell.sh           |  0
 include/user.sh            |  0
 include/vpopmail.sh        |  0
 qmail/toaster-quota-report |  2 +-
 test/include.bats          | 50 ++++++++++++++++++++++++++++++++++++++
 11 files changed, 53 insertions(+), 1 deletion(-)
 mode change 100644 => 100755 include/djb.sh
 mode change 100644 => 100755 include/editor.sh
 mode change 100644 => 100755 include/mta.sh
 mode change 100644 => 100755 include/mysql.sh
 mode change 100644 => 100755 include/nginx.sh
 mode change 100644 => 100755 include/php.sh
 mode change 100644 => 100755 include/shell.sh
 mode change 100644 => 100755 include/user.sh
 mode change 100644 => 100755 include/vpopmail.sh
 create mode 100644 test/include.bats

diff --git a/include/djb.sh b/include/djb.sh
old mode 100644
new mode 100755
index 3374553e..2b02a3c4
--- a/include/djb.sh
+++ b/include/djb.sh
@@ -172,3 +172,5 @@ start_tinydns()
 	tell_status "starting dns daemons"
 	stage_exec service svscan start
 }
+
+exit 0
\ No newline at end of file
diff --git a/include/editor.sh b/include/editor.sh
old mode 100644
new mode 100755
diff --git a/include/mta.sh b/include/mta.sh
old mode 100644
new mode 100755
diff --git a/include/mysql.sh b/include/mysql.sh
old mode 100644
new mode 100755
diff --git a/include/nginx.sh b/include/nginx.sh
old mode 100644
new mode 100755
diff --git a/include/php.sh b/include/php.sh
old mode 100644
new mode 100755
diff --git a/include/shell.sh b/include/shell.sh
old mode 100644
new mode 100755
diff --git a/include/user.sh b/include/user.sh
old mode 100644
new mode 100755
diff --git a/include/vpopmail.sh b/include/vpopmail.sh
old mode 100644
new mode 100755
diff --git a/qmail/toaster-quota-report b/qmail/toaster-quota-report
index 421ba25e..6f83eeba 100755
--- a/qmail/toaster-quota-report
+++ b/qmail/toaster-quota-report
@@ -37,7 +37,7 @@ foreach my $domain ( `$vpopdir/bin/vdominfo -n` ) {
     foreach my $user ( `$vpopdir/bin/vuserinfo -n -D $domain` ) {
         chomp $user;
 
-# Get quota/info for user
+        # Get quota/info for user
         my $info    = `$vpopdir/bin/vuserinfo $user\@$domain`;
         my ($dir)   = $info =~ m/dir:\s+(.*)/;
         my ($name)  = $info =~ m/comment\/gecos:\s+(.*)/;
diff --git a/test/include.bats b/test/include.bats
new file mode 100644
index 00000000..7c55054a
--- /dev/null
+++ b/test/include.bats
@@ -0,0 +1,50 @@
+
+setup() {
+  load 'test_helper/bats-support/load'
+  load 'test_helper/bats-assert/load'
+}
+
+@test "./include/djb.sh" {
+  run ./include/djb.sh
+  [ "$status" -eq 0 ]
+}
+
+@test "./include/editor.sh" {
+  run ./include/editor.sh
+  [ "$status" -eq 0 ]
+}
+
+@test "./include/mta.sh" {
+  run ./include/mta.sh
+  [ "$status" -eq 0 ]
+}
+
+@test "./include/mysql.sh" {
+  run ./include/mysql.sh
+  [ "$status" -eq 0 ]
+}
+
+@test "./include/nginx.sh" {
+  run ./include/nginx.sh
+  [ "$status" -eq 0 ]
+}
+
+@test "./include/php.sh" {
+  run ./include/php.sh
+  [ "$status" -eq 0 ]
+}
+
+@test "./include/shell.sh" {
+  run ./include/shell.sh
+  [ "$status" -eq 0 ]
+}
+
+@test "./include/user.sh" {
+  run ./include/user.sh
+  [ "$status" -eq 0 ]
+}
+
+@test "./include/vpopmail.sh" {
+  run ./include/vpopmail.sh
+  [ "$status" -eq 0 ]
+}

From 76eebb399de28641cb2b37d44518098e066b387a Mon Sep 17 00:00:00 2001
From: Matt Simerson <matt@tnpi.net>
Date: Tue, 19 Mar 2024 16:53:45 -0700
Subject: [PATCH 09/10] use assert_success

---
 test/include.bats      | 18 +++++++++---------
 test/mail-toaster.bats | 11 +++++++----
 2 files changed, 16 insertions(+), 13 deletions(-)

diff --git a/test/include.bats b/test/include.bats
index 7c55054a..a2c13927 100644
--- a/test/include.bats
+++ b/test/include.bats
@@ -6,45 +6,45 @@ setup() {
 
 @test "./include/djb.sh" {
   run ./include/djb.sh
-  [ "$status" -eq 0 ]
+  assert_success
 }
 
 @test "./include/editor.sh" {
   run ./include/editor.sh
-  [ "$status" -eq 0 ]
+  assert_success
 }
 
 @test "./include/mta.sh" {
   run ./include/mta.sh
-  [ "$status" -eq 0 ]
+  assert_success
 }
 
 @test "./include/mysql.sh" {
   run ./include/mysql.sh
-  [ "$status" -eq 0 ]
+  assert_success
 }
 
 @test "./include/nginx.sh" {
   run ./include/nginx.sh
-  [ "$status" -eq 0 ]
+  assert_success
 }
 
 @test "./include/php.sh" {
   run ./include/php.sh
-  [ "$status" -eq 0 ]
+  assert_success
 }
 
 @test "./include/shell.sh" {
   run ./include/shell.sh
-  [ "$status" -eq 0 ]
+  assert_success
 }
 
 @test "./include/user.sh" {
   run ./include/user.sh
-  [ "$status" -eq 0 ]
+  assert_success
 }
 
 @test "./include/vpopmail.sh" {
   run ./include/vpopmail.sh
-  [ "$status" -eq 0 ]
+  assert_success
 }
diff --git a/test/mail-toaster.bats b/test/mail-toaster.bats
index 2cfe5946..16b5c311 100644
--- a/test/mail-toaster.bats
+++ b/test/mail-toaster.bats
@@ -8,21 +8,24 @@ setup() {
 
 @test "mt6_version_check" {
   run mt6_version_check
-  [ "$status" -eq 0 ]
+  #[ "$status" -eq 0 ]
+  assert_success
 }
 
 @test "safe_jailname replaces . with _" {
   run safe_jailname bad.chars
-  [ "$status" -eq 0 ]
-  [ "${lines[0]}" = "bad_chars" ]
+  assert_success
+  assert_output "bad_chars"
 }
 
 @test "reverse_list" {
   run reverse_list tic tac toe
+  #echo "# $output" >&3
+  assert_success
   assert_output --partial "toe tac tic"
 }
 
 @test "tell_status" {
   run tell_status "BATS testing"
-  [ "$status" -eq 0 ]
+  assert_success
 }

From 8b074d2249ac7c9ae083cc3f0b4f2350b7baad4b Mon Sep 17 00:00:00 2001
From: Matt Simerson <matt@tnpi.net>
Date: Tue, 19 Mar 2024 16:56:53 -0700
Subject: [PATCH 10/10] revert exit

---
 include/djb.sh | 2 --
 1 file changed, 2 deletions(-)

diff --git a/include/djb.sh b/include/djb.sh
index 2b02a3c4..3374553e 100755
--- a/include/djb.sh
+++ b/include/djb.sh
@@ -172,5 +172,3 @@ start_tinydns()
 	tell_status "starting dns daemons"
 	stage_exec service svscan start
 }
-
-exit 0
\ No newline at end of file