From a504d7a038659b68226ae7975341ecdbdcf0fb1e Mon Sep 17 00:00:00 2001
From: Jeremy Davis <jeremy@turnkeylinux.org>
Date: Fri, 10 Oct 2025 22:22:06 +0000
Subject: [PATCH 01/10] Update plan

---
 plans/turnkey/base | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/plans/turnkey/base b/plans/turnkey/base
index e7ff31e8..83f3ee8f 100644
--- a/plans/turnkey/base
+++ b/plans/turnkey/base
@@ -5,8 +5,9 @@
 wget
 curl
 rsync
+zstd                    /* if installed will use to compress initramfs */
 
-di-live
+//di-live
 whiptail                /* di-live recommends */
 kbd                     /* di-live recommends */
 lvm2                    /* di-live recommends */
@@ -15,7 +16,7 @@ eject                   /* di-live recommends */
 
 confconsole
 kbd                     /* confconsole recommends */
-di-live                 /* confconsole recommends */
+//di-live                 /* confconsole recommends */
 resolvconf              /* confconsole recommends */
 
 /* Dbus is new default package in v18.x */
@@ -25,14 +26,13 @@ dbus
 /* seed entropy in early boot (especially useful when live booting).       */
 jitterentropy-rngd
 
-tklbam                  /* still depends on py2 for now */
+//tklbam                  /* still depends on py2 for now */
 
 hubdns
 inithooks
-python3-dialog          /* tkl tools depends */
 turnkey-sysinfo
 turnkey-version
-turnkey-ssl             /* new tkl pkg - moved from common overlay/conf */
+turnkey-ssl
 
 cron
 cron-apt
@@ -49,8 +49,8 @@ nano
 ntpsec
 ncurses-term            /* support additional $TERM values */
 
-perl-openssl-defaults   /* libnet-ssleay-perl depends (webmin depends) */
-libnet-ssleay-perl      /* webmin depends  */
+//perl-openssl-defaults   /* libnet-ssleay-perl depends (webmin depends) */
+//libnet-ssleay-perl      /* webmin depends  */
 webmin
 webmin-authentic-theme
 webmin-net

From e724ec05304c7ec757e506f1579ecd5a578c7721 Mon Sep 17 00:00:00 2001
From: Jeremy Davis <jeremy@turnkeylinux.org>
Date: Sat, 11 Oct 2025 10:11:30 +1100
Subject: [PATCH 02/10] Update cipher lists

---
 conf/turnkey.d/zz-ssl-ciphers | 36 +++++++++++++++++------------------
 1 file changed, 18 insertions(+), 18 deletions(-)

diff --git a/conf/turnkey.d/zz-ssl-ciphers b/conf/turnkey.d/zz-ssl-ciphers
index 8f21b856..4d274ce0 100755
--- a/conf/turnkey.d/zz-ssl-ciphers
+++ b/conf/turnkey.d/zz-ssl-ciphers
@@ -6,33 +6,33 @@
 # It provides a common set of hardened SSL/TLS ciphers fo all webserver apps
 # Base configuration is provided by relevant overlay files
 
-set ${CERTFILE:="/etc/ssl/private/cert.pem"}
-set ${CRTFILE:="/usr/local/share/ca-certificates/cert.crt"}
-set ${KEYFILE:="/etc/ssl/private/cert.key"}
-set ${DHPARAMS:="/etc/ssl/private/dhparams.pem"}
+set "${CERTFILE:="/etc/ssl/private/cert.pem"}"
+set "${CRTFILE:="/usr/local/share/ca-certificates/cert.crt"}"
+set "${KEYFILE:="/etc/ssl/private/cert.key"}"
+set "${DHPARAMS:="/etc/ssl/private/dhparams.pem"}"
 
-# Secure Cipher List recommended by Mozilla https://ssl-config.mozilla.org/
-# See https://github.com/turnkeylinux/tracker/issues/1380 for more info
-# Note separate cipher list no longer required for Tomcat9
-SECURE_CIPHER_LIST="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
+# "Intermediate" Secure Cipher List recommended by Mozilla:
+# https://ssl-config.mozilla.org/
 
-# Compatible Cipher List recommended for older clients - reduced security score (currently not used)
-COMPATIBLE_CIPHER_LIST="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
+SECURE_CIPHER_LIST="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305"
+
+# Tomcat 10 & 11 use slightly different cipher list - requires Java 10+
+TOMCAT_SECURE_CIPHER_LIST="TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305"
 
 fatal() {
-    echo "fatal: $@" 1>&2
+    echo "fatal: $*" 1>&2
     exit 1
 }
 
 # Postfix
 CONF=/etc/postfix/main.cf
-if [ -f "$CONF" ]; then
+if [[ -f "$CONF" ]]; then
     sed -i "/tls_medium_cipherlist/ s|ZZ_SSL_CIPHERS|$SECURE_CIPHER_LIST|" $CONF
 fi
 
 # Apache2
 CONF="/etc/apache2/mods-available/ssl.conf"
-if [ -f "$CONF" ]; then
+if [[ -f "$CONF" ]]; then
     sed -i "s|^\(\s*SSLCipherSuite\s\+\).*$|\1${SECURE_CIPHER_LIST}|g" $CONF
     a2enmod ssl
     a2enconf security
@@ -40,23 +40,23 @@ fi
 
 # Nginx
 CONF="/etc/nginx/snippets/ssl.conf"
-if [ -f "$CONF" ]; then
+if [[ -f "$CONF" ]]; then
     # SSL enabled by default (see overlay)
     sed -i "s|ssl_ciphers '.*|ssl_ciphers '${SECURE_CIPHER_LIST}';|" $CONF
 fi
 
 # Lighttpd
 CONF="/etc/lighttpd/ssl-params.conf"
-if [ -f "$CONF" ]; then
+if [[ -f "$CONF" ]]; then
     sed -i "/CipherString/ s|ZZ_SSL_CIPHERS|$SECURE_CIPHER_LIST|" $CONF
     lighty-enable-mod ssl
 fi
 
 # Tomcat
-# As of v15.x TKL uses Debian Tomcat default ciphers
+# Note uses slightly different cipher list in TKL v19.x
 for CONF in /etc/tomcat*/server.xml; do
-    if [ -f "$CONF" ]; then
-        sed -i "s|ciphers=|ciphers=\"${SECURE_CIPHER_LIST}\"|" $CONF
+    if [[ -f "$CONF" ]]; then
+        sed -i "s|ciphers=|ciphers=\"${TOMCAT_SECURE_CIPHER_LIST}\"|" "$CONF"
     fi
 done
 

From f0749798031080949b0016a9d8205967c653bc0f Mon Sep 17 00:00:00 2001
From: Jeremy Davis <jeremy@turnkeylinux.org>
Date: Sat, 11 Oct 2025 10:36:41 +1100
Subject: [PATCH 03/10] Update postfix conf

---
 conf/turnkey.d/postfix-local | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/conf/turnkey.d/postfix-local b/conf/turnkey.d/postfix-local
index 53489ae7..7e0de5db 100755
--- a/conf/turnkey.d/postfix-local
+++ b/conf/turnkey.d/postfix-local
@@ -20,15 +20,15 @@ postconf -e smtpd_banner='$myhostname ESMTP'
 #postconf -e smtpd_tls_cert_file=/etc/ssl/private/cert.pem
 #postconf -e smtpd_tls_key_file=/etc/ssl/private/cert.key
 
-# despite name, accepts more bits (i.e. > 1024 bits)
-postconf -e smtpd_tls_dh1024_param_file=/etc/ssl/private/dhparams.pem
-postconf -e smtpd_tls_mandatory_protocols='!SSLv2, !SSLv3, !TLSv1, !TLSv1.1'
-postconf -e smtpd_tls_protocols='!SSLv2, !SSLv3, !TLSv1, !TLSv1.1'
+postconf -e smtpd_tls_auth_only=yes
+postconf -e tls_preempt_cipherlist=no
+postconf -e smtpd_tls_mandatory_protocols='>=TLSv1.2'
+postconf -e smtpd_tls_protocols='>=TLSv1.2'
+postconf -e smtp_tls_mandatory_ciphers=medium
 postconf -e smtpd_tls_mandatory_ciphers=medium
 
 # ciphers set by common/conf/turnkey.d/zz-ssl-ciphers
 postconf -e tls_medium_cipherlist="ZZ_SSL_CIPHERS"
-postconf -e tls_preempt_cipherlist=no
 
 service postfix start
 systemctl enable postfix@-.service

From c10317d042514609f1b3dea9dbfedf6b6b174e73 Mon Sep 17 00:00:00 2001
From: Jeremy Davis <jeremy@turnkeylinux.org>
Date: Sat, 11 Oct 2025 11:36:21 +1100
Subject: [PATCH 04/10] Remove apache ssl config overlay and replace with conf
 script to update default

---
 conf/apache-ssl                               |  52 +++++++++
 .../etc/apache2/mods-available/ssl.conf       | 102 ------------------
 2 files changed, 52 insertions(+), 102 deletions(-)
 create mode 100755 conf/apache-ssl
 delete mode 100644 overlays/apache/etc/apache2/mods-available/ssl.conf

diff --git a/conf/apache-ssl b/conf/apache-ssl
new file mode 100755
index 00000000..ab9627a0
--- /dev/null
+++ b/conf/apache-ssl
@@ -0,0 +1,52 @@
+#!/bin/bash -e
+
+# try to enable mod, if not available just continue
+a2enmod ssl || true
+
+# tweak mod_evasive defaults
+CONF=/etc/apache2/mods-available/ssl.conf
+if [[ -f "$CONF" ]]; then
+    # tighten ssl protocol support
+    ssl_protocol="# Hardened TKL default\nSSLProtocol -all +TLSv1.2 +TLSv1.3"
+    sed -Ei "\|^SSLProtocol| s|^(.*)|#\1\n$ssl_protocol|" "$CONF"
+
+    cipher_suites=$(cat <<EOF
+# Explict Cipher suites recommended by Mozilla
+# https://ssl-config.mozilla.org/#server=apache&version=2.4.65&config=intermediate&openssl=3.5.1&guideline=5.7
+# (updated by TurnKey "common/conf/turnkey.d/zz-ssl-ciphers" script)
+SSLCipherSuite ZZ_SSL_CIPHERS
+EOF
+    )
+    sed -Ei "\|^SSLCipherSuite| s|^(.*)|#\1\n$cipher_suites|" "$CONF"
+    
+    cat >> "$CONF" <<EOF
+
+# Additional default TKL Apache SSL/TLS config
+
+SSLOpenSSLConfCmd Curves X25519:prime256v1:secp384r1
+
+# Explictly disable SSL compression (should default to off anyway...)
+# Note enabling SSL compression makes Apache vulnerable to CRIME attack.
+SSLCompression off
+
+# Default certificate file to use (provided by TurnKey)
+SSLCertificateFile /etc/ssl/private/cert.pem
+# Default TKL cert.pem includes key so this can remain unset
+#SSLCertificateKeyFile /etc/ssl/private/cert.key
+
+# enable HTTP/2, if available
+Protocols h2 http/1.1
+
+# OCSP Stapling
+SSLUseStapling On
+SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
+
+# HTTP Strict Transport Security (mod_headers is required)
+Header always set Strict-Transport-Security "max-age=63072000"
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
+EOF
+else
+    echo "fatal: conf file $CONF not found" >&2
+    exit 1
+fi
diff --git a/overlays/apache/etc/apache2/mods-available/ssl.conf b/overlays/apache/etc/apache2/mods-available/ssl.conf
deleted file mode 100644
index 99b63835..00000000
--- a/overlays/apache/etc/apache2/mods-available/ssl.conf
+++ /dev/null
@@ -1,102 +0,0 @@
-<IfModule mod_ssl.c>
-
-	# Pseudo Random Number Generator (PRNG):
-	# Configure one or more sources to seed the PRNG of the SSL library.
-	# The seed data should be of good random quality.
-	# WARNING! On some platforms /dev/random blocks if not enough entropy
-	# is available. This means you then cannot use the /dev/random device
-	# because it would lead to very long connection times (as long as
-	# it requires to make more entropy available). But usually those
-	# platforms additionally provide a /dev/urandom device which doesn't
-	# block. So, if available, use this one instead. Read the mod_ssl User
-	# Manual for more details.
-	#
-	SSLRandomSeed startup builtin
-	SSLRandomSeed startup file:/dev/urandom 512
-	SSLRandomSeed connect builtin
-	SSLRandomSeed connect file:/dev/urandom 512
-
-	##
-	##  SSL Global Context
-	##
-	##  All SSL configuration in this context applies both to
-	##  the main server and all SSL-enabled virtual hosts.
-	##
-
-	#
-	#   Some MIME-types for downloading Certificates and CRLs
-	#
-	AddType application/x-x509-ca-cert .crt
-	AddType application/x-pkcs7-crl	.crl
-
-	#   Pass Phrase Dialog:
-	#   Configure the pass phrase gathering process.
-	#   The filtering dialog program (`builtin' is a internal
-	#   terminal dialog) has to provide the pass phrase on stdout.
-	SSLPassPhraseDialog  exec:/usr/share/apache2/ask-for-passphrase
-
-	#   Inter-Process Session Cache:
-	#   Configure the SSL Session Cache: First the mechanism 
-	#   to use and second the expiring timeout (in seconds).
-	#   (The mechanism dbm has known memory leaks and should not be used).
-	#SSLSessionCache		 dbm:${APACHE_RUN_DIR}/ssl_scache
-	SSLSessionCache		shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
-	SSLSessionCacheTimeout  300
-
-	#   Semaphore:
-	#   Configure the path to the mutual exclusion semaphore the
-	#   SSL engine uses internally for inter-process synchronization. 
-	#   (Disabled by default, the global Mutex directive consolidates by default
-	#   this)
-	#Mutex file:${APACHE_LOCK_DIR}/ssl_mutex ssl-cache
-
-
-	#   SSL Cipher Suite:
-	#   List the ciphers that the client is permitted to negotiate. See the
-	#   ciphers(1) man page from the openssl package for list of all available
-	#   options.
-	#   Enable only secure ciphers:
-	SSLCipherSuite HIGH:!aNULL
-
-	# SSL server cipher order preference:
-	# Use server priorities for cipher algorithm choice.
-	# Clients may prefer lower grade encryption.  You should enable this
-	# option if you want to enforce stronger encryption, and can afford
-	# the CPU cost, and did not override SSLCipherSuite in a way that puts
-	# insecure ciphers first.
-	# Default: Off
-	#SSLHonorCipherOrder on
-
-	#   The protocols to enable.
-	#   Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
-	#   SSL v2  is no longer supported
-	SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
-
-	#   Allow insecure renegotiation with clients which do not yet support the
-	#   secure renegotiation protocol. Default: Off
-	#SSLInsecureRenegotiation on
-
-	#   Whether to forbid non-SNI clients to access name based virtual hosts.
-	#   Default: Off
-	#SSLStrictSNIVHostCheck On
-
-    # Explictly disable SSL compression (should default to off anyway...)
-    # Note enabling SSL compression makes Apache vulnerable to CRIME attack.
-    SSLCompression off
-
-    # Default certificate file to use (provided by TurnKey)
-    SSLCertificateFile /etc/ssl/private/cert.pem
-
-    # enable HTTP/2, if available
-    Protocols h2 http/1.1
-
-    # OCSP Stapling
-    SSLUseStapling On
-    SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
-
-    # HTTP Strict Transport Security (mod_headers is required) (63072000 seconds)
-    Header always set Strict-Transport-Security "max-age=63072000"
-
-</IfModule>
-
-# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

From 783a7c066e23da2e5f04c631b329e83556462dff Mon Sep 17 00:00:00 2001
From: Jeremy Davis <jeremy@turnkeylinux.org>
Date: Sat, 11 Oct 2025 12:06:20 +1100
Subject: [PATCH 05/10] Update lighty ssl conf - inc sync default 10-ssl.conf
 with that provided by lighttpd-mod-openssl pkg

---
 .../etc/lighttpd/conf-available/10-ssl.conf   | 10 +++--
 .../lighttpd/etc/lighttpd/ssl-params.conf     | 40 +++++++++++++------
 2 files changed, 33 insertions(+), 17 deletions(-)

diff --git a/overlays/lighttpd/etc/lighttpd/conf-available/10-ssl.conf b/overlays/lighttpd/etc/lighttpd/conf-available/10-ssl.conf
index 4db75bf4..46344eca 100644
--- a/overlays/lighttpd/etc/lighttpd/conf-available/10-ssl.conf
+++ b/overlays/lighttpd/etc/lighttpd/conf-available/10-ssl.conf
@@ -1,13 +1,15 @@
-# /usr/share/doc/lighttpd/ssl.txt (in 'lighttpd-doc' package)
+# /usr/share/doc/lighttpd/ssl.txt
+# -*- conflicts: mbedtls, gnutls, nss, wolfssl -*-
 
 server.modules += ( "mod_openssl" )
 
+# ssl.* in global scope gets inherited by
+#   $SERVER["socket"] == "..." { ssl.engine = "enable" }
+
 # Use TurnKey hardened SSL/TLS defaults for all SSL/TLS traffic.
 include "ssl-params.conf"
 
 $SERVER["socket"] == "0.0.0.0:443" {
-    ssl.engine  = "enable"
+	ssl.engine  = "enable"
 }
-
-# support for IPv6 HTTPS via Debian script (in 'lighttpd' package)
 include_shell "/usr/share/lighttpd/use-ipv6.pl 443"
diff --git a/overlays/lighttpd/etc/lighttpd/ssl-params.conf b/overlays/lighttpd/etc/lighttpd/ssl-params.conf
index 3e96d044..3349834c 100644
--- a/overlays/lighttpd/etc/lighttpd/ssl-params.conf
+++ b/overlays/lighttpd/etc/lighttpd/ssl-params.conf
@@ -1,24 +1,38 @@
-# This is a shared hardened SSL conf provided by TurnKey
-# created 2021-11-11 using guidance from Mozilla Guideline v5.6
-# https://ssl-config.mozilla.org/#server=lighttpd&version=1.4.59&config=intermediate&openssl=1.1.1k&hsts=false&guideline=5.6
+# This is a custom shared hardened SSL conf provided by TurnKey
+# created 2025-20-11 using guidance from Mozilla Guideline v5.7
+# https://ssl-config.mozilla.org/#server=lighttpd&version=1.4.79&config=intermediate&openssl=3.5.1&guideline=5.7
+# By default this file is sourced by /etc/lighttpd/conf-available/10-ssl.conf
 
 ssl.pemfile = "/etc/ssl/private/cert.pem"
 ssl.privkey = "/etc/ssl/private/cert.key"
 ssl.dh-file = "/etc/ssl/private/dhparams.pem"
 
-ssl.openssl.ssl-conf-cmd = (
-    "MinProtocol" => "TLSv1.2",
-    "Options" => "-ServerPreference",
-    # ciphers set by common/conf/turnkey.d/zz-ssl-ciphers
-    "CipherString" => "ZZ_SSL_CIPHERS"
-)
+ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.2")
+# lighttpd 1.4.79 TLS default appends X448
+#ssl.openssl.ssl-conf-cmd += ("Curves" => "X25519:prime256v1:secp384r1")
 
-setenv.add-response-header = (
-    #  HTTP Strict Transport Security (63072000 seconds)
+# lighttpd TLS defaults are widely supported by clients and should be preferred.
+# See https://wiki.lighttpd.net/Docs_SSL
+# Uncomment to better match the less restricted Mozilla intermediate spec.
+# (TKL Ciphers set by common/conf/turnkey.d/zz-ssl-ciphers)
+#ssl.openssl.ssl-conf-cmd += ("CipherString" => "ZZ_SSL_CIPHERS")
+
+# HSTS config + additional hardening
+server.modules += ("mod_redirect")
+server.modules += ("mod_setenv")
+$HTTP["scheme"] == "https" {
+  # HTTP Strict Transport Security (63072000 seconds)
+  setenv.add-response-header = (
     "Strict-Transport-Security" => "max-age=63072000; includeSubdomains; preload",
     "X-Frame-Options" => "DENY",
-    "X-Content-Type-Options" => "nosniff"
-)
+    "X-Content-Type-Options" => "nosniff",
+  )
+}
+else $HTTP["scheme"] == "http" {
+    url.redirect = ("" => "https://${url.authority}${url.path}${qsa}")
+}
+
+# OCSP stapling config (disabled by default)
 
 # OCSP stapling (input file is maintained by external 'cert-staple.sh' script)
 # https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL#OCSP-Stapling

From 879ec469635db30dfcaf4176fcf1ac02f526b478 Mon Sep 17 00:00:00 2001
From: Jeremy Davis <jeremy@turnkeylinux.org>
Date: Sat, 11 Oct 2025 13:06:03 +1100
Subject: [PATCH 06/10] Sync apache security.conf with default from 'apache2'
 pkg and reapply TKL mods

---
 .../etc/apache2/conf-available/security.conf  | 32 ++++++++-----------
 1 file changed, 13 insertions(+), 19 deletions(-)

diff --git a/overlays/apache/etc/apache2/conf-available/security.conf b/overlays/apache/etc/apache2/conf-available/security.conf
index b41640ed..d611a84f 100644
--- a/overlays/apache/etc/apache2/conf-available/security.conf
+++ b/overlays/apache/etc/apache2/conf-available/security.conf
@@ -1,16 +1,13 @@
-#
 # Disable access to the entire file system except for the directories that
 # are explicitly allowed later.
 #
-# This currently breaks the configurations that come with some web application
-# Debian packages.
+# This currently breaks some web app configurations
 #
 #<Directory />
 #   AllowOverride None
 #   Require all denied
 #</Directory>
 
-
 # Changing the following options will not really affect the security of the
 # server, but might make attacks slightly more difficult in some cases.
 
@@ -21,9 +18,6 @@
 # and compiled in modules.
 # Set to one of:  Full | OS | Minimal | Minor | Major | Prod
 # where Full conveys the most information, and Prod the least.
-#ServerTokens Minimal
-#ServerTokens OS
-#ServerTokens Full
 ServerTokens Prod
 
 #
@@ -34,7 +28,6 @@ ServerTokens Prod
 # Set to "EMail" to also include a mailto: link to the ServerAdmin.
 # Set to one of:  On | Off | EMail
 ServerSignature Off
-#ServerSignature On
 
 #
 # Allow TRACE method
@@ -44,34 +37,35 @@ ServerSignature Off
 #
 # Set to one of:  On | Off | extended
 TraceEnable Off
-#TraceEnable On
 
 #
 # Forbid access to version control directories
 #
 # If you use version control systems in your document root, you should
-# probably deny access to their directories. For example, for subversion:
+# probably deny access to their directories.
+#
+# Examples:
 #
-<DirectoryMatch "/\.svn">
-   Require all denied
-</DirectoryMatch>
-<DirectoryMatch "/\.git">
-   Require all denied
-</DirectoryMatch>
+#RedirectMatch 404 /\.git
+#RedirectMatch 404 /\.svn
+
+# Forbid acccess to any/all dot files/dirs
+RedirectMatch 404 "/\."
+# Note this will also deny access to .well-known so needs to be disabled if
+# using non-TurnKey Let's Encrypt tool - e.g. certbot
 
 #
 # Setting this header will prevent MSIE from interpreting files as something
 # else than declared by the content type in the HTTP headers.
 # Requires mod_headers to be enabled.
 #
-#Header set X-Content-Type-Options: "nosniff"
+Header set X-Content-Type-Options: "nosniff"
 
 #
 # Setting this header will prevent other sites from embedding pages from this
 # site as frames. This defends against clickjacking attacks.
 # Requires mod_headers to be enabled.
-#
-#Header set X-Frame-Options: "sameorigin"
 
+Header set Content-Security-Policy "frame-ancestors 'self';"
 
 # vim: syntax=apache ts=4 sw=4 sts=4 sr noet

From 84dca41217776fa776757c8cf1fbe1d56781d66d Mon Sep 17 00:00:00 2001
From: Jeremy Davis <jeremy@turnkeylinux.org>
Date: Sat, 11 Oct 2025 13:11:49 +1100
Subject: [PATCH 07/10] Update nginx config for Trixie

---
 .../etc/nginx/sites-available/tkl-default     | 18 ++++++--
 overlays/nginx/etc/nginx/snippets/ssl.conf    | 42 +++++++++++++++----
 plans/turnkey/nginx-php-fpm-mysql             |  1 +
 3 files changed, 50 insertions(+), 11 deletions(-)

diff --git a/overlays/nginx/etc/nginx/sites-available/tkl-default b/overlays/nginx/etc/nginx/sites-available/tkl-default
index 19466775..9938d683 100644
--- a/overlays/nginx/etc/nginx/sites-available/tkl-default
+++ b/overlays/nginx/etc/nginx/sites-available/tkl-default
@@ -11,7 +11,7 @@
 #
 # This file will automatically load configuration files provided by other
 # applications, such as Drupal or Wordpress. These applications will be made
-# available underneath a path with that package name, such as /drupal8.
+# available underneath a path with that package name, such as /drupal12.
 #
 # Please see /usr/share/doc/nginx-doc/examples/ (from Debian nginx-doc
 # package) for more detailed examples.
@@ -23,6 +23,9 @@ server {
     listen 80 default_server;
     listen [::]:80 default_server;
 
+    # temporary redirect to https - update to permanent (308) for production
+    return 307 https://$host$request_uri;
+
     # SSL configuration
     listen 443 ssl default_server;
     listen [::]:443 ssl default_server;
@@ -44,8 +47,17 @@ server {
     # Uncomment to enable PHP-FPM
     #include snippets/php-fpm.conf;
 
-    # deny access to .htaccess files
-    location ~ /\.ht {
+    # Deny access to all dot files
+    location ~ /\. {
         deny all;
+        access_log off;
+        log_not_found off;
+        return 404;
     }
+    # above also disables access to .well-known
+    # TKL default Let's Encrypt works fine, but other third party tools may
+    # require this section to be uncommented
+    #location ^~ /.well-known {
+    #    allow all;
+    #}
 }
diff --git a/overlays/nginx/etc/nginx/snippets/ssl.conf b/overlays/nginx/etc/nginx/snippets/ssl.conf
index 7d031bc5..70c1a477 100644
--- a/overlays/nginx/etc/nginx/snippets/ssl.conf
+++ b/overlays/nginx/etc/nginx/snippets/ssl.conf
@@ -1,16 +1,42 @@
-ssl_certificate      /etc/ssl/private/cert.pem;
-ssl_certificate_key  /etc/ssl/private/cert.key;
-ssl_session_timeout  5m;
-ssl_session_cache shared:SSL:50m;
+ssl_certificate     /etc/ssl/private/cert.pem;
+ssl_certificate_key /etc/ssl/private/cert.key;
 
-ssl_protocols TLSv1.2 TLSv1.3;
+http2 on;
 
-# ciphers added by conf/turnkey.d/zz-ssl-ciphers script
-ssl_ciphers '';
 
-ssl_prefer_server_ciphers   on;
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_ecdh_curve X25519:prime256v1:secp384r1;
+# ciphers added by conf/turnkey.d/zz-ssl-ciphers script
+ssl_ciphers 'ZZ_SSL_CIPHERS';
+ssl_prefer_server_ciphers off;
 
 ssl_dhparam /etc/ssl/private/dhparams.pem;
+
 add_header X-Content-Type-Options nosniff;
 
+# HSTS
+add_header Strict-Transport-Security "max-age=63072000" always;
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+
+    return 301 https://$host$request_uri;
+}
+
+# see also ssl_session_ticket_key alternative to stateful session cache
+ssl_session_timeout 1d;
+ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
+
+# OCSP stapling (disabled by default)
+#ssl_stapling on;
+#ssl_stapling_verify on;
+# verify chain of trust of OCSP response using Root CA and Intermediate certs
+#ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
+
+# replace with the IP address of your resolver;
+# async 'resolver' is important for proper operation of OCSP stapling
+#resolver 127.0.0.1;
+# If certificates are marked OCSP Must-Staple, consider managing the
+# OCSP stapling cache with an external script, e.g. certbot-ocsp-fetcher
+
 server_tokens off;
diff --git a/plans/turnkey/nginx-php-fpm-mysql b/plans/turnkey/nginx-php-fpm-mysql
index 71e89605..1982ab0d 100644
--- a/plans/turnkey/nginx-php-fpm-mysql
+++ b/plans/turnkey/nginx-php-fpm-mysql
@@ -1,6 +1,7 @@
 #include <turnkey/mysql>
 
 nginx
+libnginx-mod-http-modsecurity
 
 php-fpm
 php-gd

From 5703b2dc4741999b0ecba8234fab4f65fa9ddef9 Mon Sep 17 00:00:00 2001
From: Jeremy Davis <jeremy@turnkeylinux.org>
Date: Sat, 11 Oct 2025 13:44:19 +1100
Subject: [PATCH 08/10] Update tomcat config for trixie - perhaps v10 & v11
 should be separate?

---
 conf/tomcat                                   |  36 ++-
 .../tomcat-apache/etc/tomcat11/mod_jk.conf    |   7 +
 .../tomcat-apache/etc/tomcat11/server.xml     | 174 +++++++++++++++
 overlays/tomcat/etc/tomcat10/server.xml       |  30 ++-
 overlays/tomcat/etc/tomcat11/server.xml       | 206 ++++++++++++++++++
 overlays/tomcat/etc/tomcat11/tomcat-users.xml |  10 +
 6 files changed, 442 insertions(+), 21 deletions(-)
 create mode 100644 overlays/tomcat-apache/etc/tomcat11/mod_jk.conf
 create mode 100644 overlays/tomcat-apache/etc/tomcat11/server.xml
 create mode 100644 overlays/tomcat/etc/tomcat11/server.xml
 create mode 100644 overlays/tomcat/etc/tomcat11/tomcat-users.xml

diff --git a/conf/tomcat b/conf/tomcat
index a67f8100..1b2b6d9e 100755
--- a/conf/tomcat
+++ b/conf/tomcat
@@ -1,17 +1,30 @@
-#!/bin/sh -ex
+#!/bin/bash -ex
 
-fatal() { echo "FATAL [$(basename $0)]: $@" 1>&2; exit 1; }
+fatal() { echo "FATAL [$(basename "$0")]: $*" 1>&2; exit 1; }
 
-TOMCAT=tomcat10
+if [[ -e /var/lib/tomcat10 ]]; then
+    TOMCAT=tomcat10
+elif [[ -e /var/lib/tomcat11 ]]; then
+    TOMCAT=tomcat11
+else
+    fatal "Tomcat version could not be determined"
+fi
 
 CATALINA_HOME="/usr/share/$TOMCAT"
 CATALINA_BASE="/var/lib/$TOMCAT"
 CATALINA_TMPDIR="$CATALINA_BASE/temp"
 
-# identify JVM to use
-## We check for openjdk 17
-[ -e /usr/lib/jvm/java-17-openjdk-amd64 ] && JVM=java-17-openjdk-amd64
-[ -z "$JVM" ] && fatal "JVM to use could not be identified"
+# identify JVM to use - Trixie provides openjdk 21 & 25
+if [[ -e /usr/lib/jvm/java-21-openjdk-amd64 ]]; then
+    JVM=java-21-openjdk-amd64
+    JINFO=$(ls /usr/lib/jvm/.*java*21*jinfo)
+elif [[ -e /usr/lib/jvm/java-25-openjdk-amd64 ]]; then
+    JVM=java-25-openjdk-amd64
+    JINFO=$(ls /usr/lib/jvm/.*java*25*jinfo)
+else
+    fatal "JVM to use could not be identified"
+fi
+
 
 # configure java/tomcat environment
 cat >> /etc/environment<<EOF
@@ -22,15 +35,14 @@ JAVA_HOME="/usr/lib/jvm/${JVM}"
 EOF
 
 # this may not be 100% safe
-JINFO=$(ls /usr/lib/jvm/.*java*17*jinfo)
 JINFO=${JINFO%.jinfo}
 JINFO=${JINFO#*.}
 # not sure if this is actually needed
-update-java-alternatives --jre-headless -s $JINFO
+update-java-alternatives --jre-headless -s "$JINFO"
 sed -i "s/^#JAVA_HOME.*/JAVA_HOME=\/usr\/lib\/jvm\/${JVM}/" /etc/default/$TOMCAT
 
 # configure Apache if needed (Jk connector to Tomcat)
-if [ -e /etc/apache2/sites-available/jktomcat.conf ]; then
+if [[ -e /etc/apache2/sites-available/jktomcat.conf ]]; then
     a2dissite 000-default
     a2ensite jktomcat
 
@@ -46,12 +58,12 @@ fi
 # create convenience links to original conf that we overwrite
 conf_files="tomcat-users.xml server.xml"
 for conf in $conf_files; do
-    ln -s /usr/share/$TOMCAT/etc/$conf /etc/$TOMCAT/$conf.orig
+    ln -s "/usr/share/$TOMCAT/etc/$conf" "/etc/$TOMCAT/$conf.orig"
 done
 
 # from https://bugs.launchpad.net/ubuntu/+source/tomcat7/+bug/1232258
 create_link() {
-    ln -s $CATALINA_BASE/$1 $CATALINA_HOME/$1
+    ln -s "$CATALINA_BASE/$1" "$CATALINA_HOME/$1"
 }
 create_link common
 create_link server
diff --git a/overlays/tomcat-apache/etc/tomcat11/mod_jk.conf b/overlays/tomcat-apache/etc/tomcat11/mod_jk.conf
new file mode 100644
index 00000000..3978662a
--- /dev/null
+++ b/overlays/tomcat-apache/etc/tomcat11/mod_jk.conf
@@ -0,0 +1,7 @@
+RedirectMatch ^/manager[/]$ /manager/html
+JkMount /manager         ajp13_worker
+JkMount /manager/*       ajp13_worker
+
+RedirectMatch ^/host-manager[/]$ /host-manager/html
+JkMount /host-manager    ajp13_worker
+JkMount /host-manager/*  ajp13_worker
diff --git a/overlays/tomcat-apache/etc/tomcat11/server.xml b/overlays/tomcat-apache/etc/tomcat11/server.xml
new file mode 100644
index 00000000..d0e36da1
--- /dev/null
+++ b/overlays/tomcat-apache/etc/tomcat11/server.xml
@@ -0,0 +1,174 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<!-- Note:  A "Server" is not itself a "Container", so you may not
+     define subcomponents such as "Valves" at this level.
+     Documentation at /docs/config/server.html
+ -->
+<Server port="-1" shutdown="SHUTDOWN">
+  <Listener className="org.apache.catalina.startup.VersionLoggerListener" />
+  <!-- Security listener. Documentation at /docs/config/listeners.html
+  <Listener className="org.apache.catalina.security.SecurityListener" />
+  -->
+  <!--APR library loader. Documentation at /docs/apr.html -->
+  <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
+  <!-- Prevent memory leaks due to use of particular java/javax APIs-->
+  <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
+  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
+  <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
+
+  <!-- Global JNDI resources
+       Documentation at /docs/jndi-resources-howto.html
+  -->
+  <GlobalNamingResources>
+    <!-- Editable user database that can also be used by
+         UserDatabaseRealm to authenticate users
+    -->
+    <Resource name="UserDatabase" auth="Container"
+              type="org.apache.catalina.UserDatabase"
+              description="User database that can be updated and saved"
+              factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
+              pathname="conf/tomcat-users.xml" />
+  </GlobalNamingResources>
+
+  <!-- A "Service" is a collection of one or more "Connectors" that share
+       a single "Container" Note:  A "Service" is not itself a "Container",
+       so you may not define subcomponents such as "Valves" at this level.
+       Documentation at /docs/config/service.html
+   -->
+  <Service name="Catalina">
+
+    <!--The connectors can use a shared executor, you can define one or more named thread pools-->
+    <!--
+    <Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
+        maxThreads="150" minSpareThreads="4"/>
+    -->
+
+
+    <!-- A "Connector" represents an endpoint by which requests are received
+         and responses are returned. Documentation at :
+         Java HTTP Connector: /docs/config/http.html
+         Java AJP  Connector: /docs/config/ajp.html
+         APR (HTTP/AJP) Connector: /docs/apr.html
+         Define a non-SSL/TLS HTTP/1.1 Connector on port 8080
+    -->
+    <!--
+    <Connector port="8080" protocol="HTTP/1.1"
+               connectionTimeout="20000"
+               redirectPort="8443" />
+    -->
+    <!-- A "Connector" using the shared thread pool-->
+    <!--
+    <Connector executor="tomcatThreadPool"
+               port="8080" protocol="HTTP/1.1"
+               connectionTimeout="20000"
+               redirectPort="8443" />
+    -->
+    <!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443
+         This connector uses the NIO implementation. The default
+         SSLImplementation will depend on the presence of the APR/native
+         library and the useOpenSSL attribute of the
+         AprLifecycleListener.
+         Either JSSE or OpenSSL style configuration may be used regardless of
+         the SSLImplementation selected. JSSE style configuration is used below.
+    -->
+    <!--
+    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
+               maxThreads="150" SSLEnabled="true">
+        <SSLHostConfig>
+            <Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
+                         type="RSA" />
+        </SSLHostConfig>
+    </Connector>
+    -->
+    <!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2
+         This connector uses the APR/native implementation which always uses
+         OpenSSL for TLS.
+         Either JSSE or OpenSSL style configuration may be used. OpenSSL style
+         configuration is used below.
+    -->
+    <!--
+    <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
+               maxThreads="150" SSLEnabled="true" >
+        <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
+        <SSLHostConfig>
+            <Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
+                         certificateFile="conf/localhost-rsa-cert.pem"
+                         certificateChainFile="conf/localhost-rsa-chain.pem"
+                         type="RSA" />
+        </SSLHostConfig>
+    </Connector>
+    -->
+
+    <!-- Define an AJP 1.3 Connector on port 8009 -->
+    <!-- Important: if you allow Tomcat to listen on all interfaces, to maximise
+         security, a secret should be set & required. -->
+    <Connector protocol="AJP/1.3"
+               address="127.0.0.1"
+               port="8009"
+               redirectPort="8443"
+               secretRequired="false" />
+
+    <!-- An Engine represents the entry point (within Catalina) that processes
+         every request.  The Engine implementation for Tomcat stand alone
+         analyzes the HTTP headers included with the request, and passes them
+         on to the appropriate Host (virtual host).
+         Documentation at /docs/config/engine.html -->
+
+    <!-- You should set jvmRoute to support load-balancing via AJP ie :
+    <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
+    -->
+    <Engine name="Catalina" defaultHost="localhost">
+
+      <!--For clustering, please take a look at documentation at:
+          /docs/cluster-howto.html  (simple how to)
+          /docs/config/cluster.html (reference documentation) -->
+      <!--
+      <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
+      -->
+
+      <!-- Use the LockOutRealm to prevent attempts to guess user passwords
+           via a brute-force attack -->
+      <Realm className="org.apache.catalina.realm.LockOutRealm">
+        <!-- This Realm uses the UserDatabase configured in the global JNDI
+             resources under the key "UserDatabase".  Any edits
+             that are performed against this UserDatabase are immediately
+             available for use by the Realm.  -->
+        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
+               resourceName="UserDatabase"/>
+      </Realm>
+
+      <Host name="localhost"  appBase="webapps"
+            unpackWARs="true" autoDeploy="true">
+
+        <!-- SingleSignOn valve, share authentication between web applications
+             Documentation at: /docs/config/valve.html -->
+        <!--
+        <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
+        -->
+
+        <!-- Access log processes all example.
+             Documentation at: /docs/config/valve.html
+             Note: The pattern used is equivalent to using pattern="common" -->
+        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
+               prefix="localhost_access_log" suffix=".txt"
+               pattern="%h %l %u %t &quot;%r&quot; %s %b" />
+
+      </Host>
+    </Engine>
+  </Service>
+</Server>
diff --git a/overlays/tomcat/etc/tomcat10/server.xml b/overlays/tomcat/etc/tomcat10/server.xml
index fff858f6..f9e65307 100644
--- a/overlays/tomcat/etc/tomcat10/server.xml
+++ b/overlays/tomcat/etc/tomcat10/server.xml
@@ -105,15 +105,27 @@
     -->
 
     <!-- TurnKey Linux default HTTPS connector on port 443 -->
-    <Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true"
-               maxThreads="150" scheme="https" secure="true" URIEncoding="UTF-8"
-               clientAuth="false" sslProtocol="TLSv1.2" sslEnabledProtocols="TLSv1.2"
-               server="Secret">
-        <SSLHostConfig>
-            <Certificate
-                certificateKeystoreFile="/etc/tomcat10/cert.p12"
-                certificateKeystorePassword="turnkey" />
-        </SSLHostConfig>
+    <Connector
+        port="443"
+        protocol="org.apache.coyote.http11.Http11NioProtocol"
+        SSLEnabled="true"
+        maxThreads="150"
+        scheme="https"
+        secure="true"
+        URIEncoding="UTF-8"
+        clientAuth="false"
+        server="Secret">
+
+      <SSLHostConfig
+          protocols="TLSv1.2,TLSv1.3"
+          ciphers="ZZ_SSL_CIPHERS"
+          disableSessionTickets="true"
+          honorCipherOrder="false">
+
+        <Certificate
+            certificateKeystoreFile="/etc/tomcat10/cert.p12"
+            certificateKeystorePassword="turnkey" />
+      </SSLHostConfig>
     </Connector>
 
     <!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2
diff --git a/overlays/tomcat/etc/tomcat11/server.xml b/overlays/tomcat/etc/tomcat11/server.xml
new file mode 100644
index 00000000..f9e65307
--- /dev/null
+++ b/overlays/tomcat/etc/tomcat11/server.xml
@@ -0,0 +1,206 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<!-- Note:  A "Server" is not itself a "Container", so you may not
+     define subcomponents such as "Valves" at this level.
+     Documentation at /docs/config/server.html
+ -->
+<Server port="-1" shutdown="SHUTDOWN">
+  <Listener className="org.apache.catalina.startup.VersionLoggerListener" />
+  <!-- Security listener. Documentation at /docs/config/listeners.html
+  <Listener className="org.apache.catalina.security.SecurityListener" />
+  -->
+  <!--APR library loader. Documentation at /docs/apr.html -->
+  <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
+  <!-- Prevent memory leaks due to use of particular java/javax APIs-->
+  <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
+  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
+  <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
+
+  <!-- Global JNDI resources
+       Documentation at /docs/jndi-resources-howto.html
+  -->
+  <GlobalNamingResources>
+    <!-- Editable user database that can also be used by
+         UserDatabaseRealm to authenticate users
+    -->
+    <Resource name="UserDatabase" auth="Container"
+              type="org.apache.catalina.UserDatabase"
+              description="User database that can be updated and saved"
+              factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
+              pathname="conf/tomcat-users.xml" />
+  </GlobalNamingResources>
+
+  <!-- A "Service" is a collection of one or more "Connectors" that share
+       a single "Container" Note:  A "Service" is not itself a "Container",
+       so you may not define subcomponents such as "Valves" at this level.
+       Documentation at /docs/config/service.html
+   -->
+  <Service name="Catalina">
+
+    <!--The connectors can use a shared executor, you can define one or more named thread pools-->
+    <!--
+    <Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
+        maxThreads="150" minSpareThreads="4"/>
+    -->
+
+
+    <!-- A "Connector" represents an endpoint by which requests are received
+         and responses are returned. Documentation at :
+         Java HTTP Connector: /docs/config/http.html
+         Java AJP  Connector: /docs/config/ajp.html
+         APR (HTTP/AJP) Connector: /docs/apr.html
+         Define a non-SSL/TLS HTTP/1.1 Connector on port 8080
+    -->
+    <!--
+    <Connector port="8080" protocol="HTTP/1.1"
+               connectionTimeout="20000"
+               redirectPort="8443" />
+    -->
+
+    <!-- TurnKey Linux default HTTP connector on port 80 -->
+    <Connector port="80" protocol="HTTP/1.1"
+               connectionTimeout="20000"
+               URIEncoding="UTF-8"
+               redirectPort="443"
+               server="Secret" />
+
+    <!-- A "Connector" using the shared thread pool-->
+    <!--
+    <Connector executor="tomcatThreadPool"
+               port="8080" protocol="HTTP/1.1"
+               connectionTimeout="20000"
+               redirectPort="8443" />
+    -->
+    <!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443
+         This connector uses the NIO implementation. The default
+         SSLImplementation will depend on the presence of the APR/native
+         library and the useOpenSSL attribute of the
+         AprLifecycleListener.
+         Either JSSE or OpenSSL style configuration may be used regardless of
+         the SSLImplementation selected. JSSE style configuration is used below.
+    -->
+    <!--
+    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
+               maxThreads="150" SSLEnabled="true">
+        <SSLHostConfig>
+            <Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
+                         type="RSA" />
+        </SSLHostConfig>
+    </Connector>
+    -->
+
+    <!-- TurnKey Linux default HTTPS connector on port 443 -->
+    <Connector
+        port="443"
+        protocol="org.apache.coyote.http11.Http11NioProtocol"
+        SSLEnabled="true"
+        maxThreads="150"
+        scheme="https"
+        secure="true"
+        URIEncoding="UTF-8"
+        clientAuth="false"
+        server="Secret">
+
+      <SSLHostConfig
+          protocols="TLSv1.2,TLSv1.3"
+          ciphers="ZZ_SSL_CIPHERS"
+          disableSessionTickets="true"
+          honorCipherOrder="false">
+
+        <Certificate
+            certificateKeystoreFile="/etc/tomcat10/cert.p12"
+            certificateKeystorePassword="turnkey" />
+      </SSLHostConfig>
+    </Connector>
+
+    <!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2
+         This connector uses the APR/native implementation which always uses
+         OpenSSL for TLS.
+         Either JSSE or OpenSSL style configuration may be used. OpenSSL style
+         configuration is used below.
+    -->
+    <!--
+    <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
+               maxThreads="150" SSLEnabled="true" >
+        <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
+        <SSLHostConfig>
+            <Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
+                         certificateFile="conf/localhost-rsa-cert.pem"
+                         certificateChainFile="conf/localhost-rsa-chain.pem"
+                         type="RSA" />
+        </SSLHostConfig>
+    </Connector>
+    -->
+
+    <!-- Define an AJP 1.3 Connector on port 8009 -->
+    <!--
+    <Connector protocol="AJP/1.3"
+               address="::1"
+               port="8009"
+               redirectPort="8443" />
+    -->
+
+    <!-- An Engine represents the entry point (within Catalina) that processes
+         every request.  The Engine implementation for Tomcat stand alone
+         analyzes the HTTP headers included with the request, and passes them
+         on to the appropriate Host (virtual host).
+         Documentation at /docs/config/engine.html -->
+
+    <!-- You should set jvmRoute to support load-balancing via AJP ie :
+    <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
+    -->
+    <Engine name="Catalina" defaultHost="localhost">
+
+      <!--For clustering, please take a look at documentation at:
+          /docs/cluster-howto.html  (simple how to)
+          /docs/config/cluster.html (reference documentation) -->
+      <!--
+      <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
+      -->
+
+      <!-- Use the LockOutRealm to prevent attempts to guess user passwords
+           via a brute-force attack -->
+      <Realm className="org.apache.catalina.realm.LockOutRealm">
+        <!-- This Realm uses the UserDatabase configured in the global JNDI
+             resources under the key "UserDatabase".  Any edits
+             that are performed against this UserDatabase are immediately
+             available for use by the Realm.  -->
+        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
+               resourceName="UserDatabase"/>
+      </Realm>
+
+      <Host name="localhost"  appBase="webapps"
+            unpackWARs="true" autoDeploy="true">
+
+        <!-- SingleSignOn valve, share authentication between web applications
+             Documentation at: /docs/config/valve.html -->
+        <!--
+        <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
+        -->
+
+        <!-- Access log processes all example.
+             Documentation at: /docs/config/valve.html
+             Note: The pattern used is equivalent to using pattern="common" -->
+        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
+               prefix="localhost_access_log" suffix=".txt"
+               pattern="%h %l %u %t &quot;%r&quot; %s %b" />
+
+      </Host>
+    </Engine>
+  </Service>
+</Server>
diff --git a/overlays/tomcat/etc/tomcat11/tomcat-users.xml b/overlays/tomcat/etc/tomcat11/tomcat-users.xml
new file mode 100644
index 00000000..a07a2c95
--- /dev/null
+++ b/overlays/tomcat/etc/tomcat11/tomcat-users.xml
@@ -0,0 +1,10 @@
+<?xml version='1.0' encoding='utf-8'?>
+<tomcat-users>
+  <role rolename="admin-gui"/>
+  <role rolename="admin-script"/>
+  <role rolename="manager-gui"/>
+  <role rolename="manager-script"/>
+  <role rolename="manager-jmx"/>
+  <role rolename="manager-status"/>
+  <user username="admin" password="turnkey" roles="admin-gui,admin-script,manager-gui,manager-script,manager-jmx,manager-status"/>
+</tomcat-users>

From 89ea955614658b016e05fcc198e25c52650be6fb Mon Sep 17 00:00:00 2001
From: Jeremy Davis <jeremy@turnkeylinux.org>
Date: Sat, 11 Oct 2025 14:13:13 +1100
Subject: [PATCH 09/10] postfix initscript no longer works, so just call posfix
 directly

---
 conf/turnkey.d/postfix-local | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/conf/turnkey.d/postfix-local b/conf/turnkey.d/postfix-local
index 7e0de5db..6331848f 100755
--- a/conf/turnkey.d/postfix-local
+++ b/conf/turnkey.d/postfix-local
@@ -30,6 +30,6 @@ postconf -e smtpd_tls_mandatory_ciphers=medium
 # ciphers set by common/conf/turnkey.d/zz-ssl-ciphers
 postconf -e tls_medium_cipherlist="ZZ_SSL_CIPHERS"
 
-service postfix start
+postmulti -x postfix start
 systemctl enable postfix@-.service
-service postfix stop
+postmulti -x postfix stop

From 371a7b79a08fc9a78ec30dc137f1e8c9b63d914b Mon Sep 17 00:00:00 2001
From: Jeremy Davis <jeremy@turnkeylinux.org>
Date: Sun, 12 Oct 2025 23:52:17 +0000
Subject: [PATCH 10/10] Replace common sysctl conf script with /etc/sysctl.d/
 overlay (/etc/sysctl.conf does not exist in trixie)

---
 .../etc/sysctl.d/00-quiet-console.conf        |  9 ++------
 .../etc/sysctl.d/10-hardening-turnkey.conf    | 22 +++++++++----------
 2 files changed, 13 insertions(+), 18 deletions(-)
 rename conf/turnkey.d/sysctl => overlays/turnkey.d/sysctl-hardening/etc/sysctl.d/00-quiet-console.conf (70%)
 mode change 100755 => 100644

diff --git a/conf/turnkey.d/sysctl b/overlays/turnkey.d/sysctl-hardening/etc/sysctl.d/00-quiet-console.conf
old mode 100755
new mode 100644
similarity index 70%
rename from conf/turnkey.d/sysctl
rename to overlays/turnkey.d/sysctl-hardening/etc/sysctl.d/00-quiet-console.conf
index e880f4c3..24491ef0
--- a/conf/turnkey.d/sysctl
+++ b/overlays/turnkey.d/sysctl-hardening/etc/sysctl.d/00-quiet-console.conf
@@ -1,4 +1,4 @@
-#!/bin/bash -e
+# Config provided by TurnKey
 
 # KERN_EMERG    0  system is unusable
 # KERN_ALERT    1  action must be taken immediately
@@ -11,10 +11,5 @@
 
 # suppress low-level messages on the console
 # console default_message minimum_console default_console
-sed -i "s|#kernel.printk\(.*\)|kernel.printk = 1 4 1 7|" /etc/sysctl.conf
 
-cat >> /etc/sysctl.conf << EOF
-# Disable TCP timestamps
-net.ipv4.tcp_timestamps = 0
-#
-EOF
+kernel.printk = 1 4 1 7
diff --git a/overlays/turnkey.d/sysctl-hardening/etc/sysctl.d/10-hardening-turnkey.conf b/overlays/turnkey.d/sysctl-hardening/etc/sysctl.d/10-hardening-turnkey.conf
index 236a5d03..01307f11 100644
--- a/overlays/turnkey.d/sysctl-hardening/etc/sysctl.d/10-hardening-turnkey.conf
+++ b/overlays/turnkey.d/sysctl-hardening/etc/sysctl.d/10-hardening-turnkey.conf
@@ -1,12 +1,13 @@
+# System Hardening config provided by TurnKey
 #
-# /etc/sysctl.d/10-hardening.conf - Configuration file
-# for hardening system variables as recommended by Lynis.
+# hardened system variables as recommended by Lynis
+# - https://cisofy.com/lynis/
 #
-# Settings can be overridden in /etc/sysctl.conf.
-# See /etc/sysctl.d/ for additional system variables.
-# See sysctl.conf (5) for information.
+# For more info see:
+# - sysctl.conf (5) (i.e. 'man sysctl.conf')
+# - https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt
 #
-##############################################################3
+##############################################################
 # Harden kernel recommendations by Lynis
 fs.suid_dumpable = 0
 kernel.core_uses_pid = 1
@@ -14,8 +15,7 @@ kernel.dmesg_restrict = 1
 kernel.kptr_restrict = 2
 kernel.sysrq = 0
 
-
-##############################################################3
+##############################################################
 # Functions previously found in netbase
 #
 
@@ -67,6 +67,6 @@ net.ipv6.conf.all.accept_source_route = 0
 net.ipv4.conf.all.log_martians = 1
 net.ipv4.conf.default.log_martians = 1
 #
-# Disable TCP timestamps
-net.ipv4.tcp_timestamps = 0
-#
+# Explcitly enable tcp_timestamps (should be default)
+# - kernel now adds a random offset for each connection so safe to enable
+net.ipv4.tcp_timestamps = 1