From 20014ed62748acff0a083f66b212d8c04465ad33 Mon Sep 17 00:00:00 2001
From: navigator <m@pop.coop>
Date: Fri, 20 Mar 2026 15:58:41 +0000
Subject: [PATCH 1/7] WIP: idempotency fixes and postgresql plan for 19.x-dev

---
 conf/turnkey.d/dpkg-vendor     |  2 +-
 conf/turnkey.d/fail2ban-fixes  |  2 +-
 conf/turnkey.d/monit           |  2 +-
 conf/turnkey.d/roothome        |  2 +-
 conf/turnkey.d/webmin-history  |  9 +++++----
 conf/turnkey.d/webmin-lets-enc | 12 +++++++-----
 conf/turnkey.d/webmin-theme    | 12 ++++++------
 plans/turnkey/postgresql       |  2 ++
 8 files changed, 24 insertions(+), 19 deletions(-)
 create mode 100644 plans/turnkey/postgresql

diff --git a/conf/turnkey.d/dpkg-vendor b/conf/turnkey.d/dpkg-vendor
index 559fb87d..709d8439 100755
--- a/conf/turnkey.d/dpkg-vendor
+++ b/conf/turnkey.d/dpkg-vendor
@@ -4,4 +4,4 @@
 # returns the correct string
 
 rm -rf /etc/dpkg/origins/default
-ln -s /etc/dpkg/origins/TurnKey /etc/dpkg/origins/default
+ln -sf /etc/dpkg/origins/TurnKey /etc/dpkg/origins/default
diff --git a/conf/turnkey.d/fail2ban-fixes b/conf/turnkey.d/fail2ban-fixes
index 83612bc0..9c545f8c 100755
--- a/conf/turnkey.d/fail2ban-fixes
+++ b/conf/turnkey.d/fail2ban-fixes
@@ -27,7 +27,7 @@ cat > fail2ban.patch <<EOF
  cmnfailre-failed-pub-ignore =
 
 EOF
-git apply fail2ban.patch
+git apply --check fail2ban.patch 2>/dev/null && git apply fail2ban.patch || echo "patch already applied, skipping"
 rm fail2ban.patch
 
 cat > /etc/cron.weekly/fail2ban <<EOF
diff --git a/conf/turnkey.d/monit b/conf/turnkey.d/monit
index 152f681b..0e88673a 100755
--- a/conf/turnkey.d/monit
+++ b/conf/turnkey.d/monit
@@ -1,3 +1,3 @@
 #!/bin/bash
 
-ln -s /etc/monit/monitrc.d/system /etc/monit/conf.d/system
+ln -sf /etc/monit/monitrc.d/system /etc/monit/conf.d/system
diff --git a/conf/turnkey.d/roothome b/conf/turnkey.d/roothome
index 6bb793ef..b8019fac 100755
--- a/conf/turnkey.d/roothome
+++ b/conf/turnkey.d/roothome
@@ -1,7 +1,7 @@
 #!/bin/bash -e
 
 # harden ssh client directories
-mkdir -m 0700 /etc/skel/.ssh
+mkdir -p -m 0700 /etc/skel/.ssh
 cp -dRn /etc/skel/.ssh /root
 
 cp /etc/skel/.bashrc /root
diff --git a/conf/turnkey.d/webmin-history b/conf/turnkey.d/webmin-history
index 6230d084..097af91b 100755
--- a/conf/turnkey.d/webmin-history
+++ b/conf/turnkey.d/webmin-history
@@ -1,5 +1,6 @@
 #!/bin/sh -e
-
-mkdir -p /etc/webmin/system-status/history
-mv /etc/webmin/system-status/history /var/webmin/
-ln -s /var/webmin/history /etc/webmin/system-status/history 
+if [ ! -L /etc/webmin/system-status/history ]; then
+    mkdir -p /etc/webmin/system-status/history
+    mv /etc/webmin/system-status/history /var/webmin/
+fi
+ln -sf /var/webmin/history /etc/webmin/system-status/history
diff --git a/conf/turnkey.d/webmin-lets-enc b/conf/turnkey.d/webmin-lets-enc
index a19d84ed..d866bd62 100755
--- a/conf/turnkey.d/webmin-lets-enc
+++ b/conf/turnkey.d/webmin-lets-enc
@@ -1,7 +1,9 @@
 #/bin/bash -e
-
 # Disable Webmin Let's Encrypt config - via patch
-
-cd /usr/share/webmin/webmin
-git apply /usr/local/src/webmin.patch
-rm /usr/local/src/webmin.patch
+if [ -f /usr/local/src/webmin.patch ]; then
+    cd /usr/share/webmin/webmin
+    git apply /usr/local/src/webmin.patch
+    rm /usr/local/src/webmin.patch
+else
+    echo "webmin.patch not found, skipping (may already be applied)"
+fi
diff --git a/conf/turnkey.d/webmin-theme b/conf/turnkey.d/webmin-theme
index fdb4c8d2..d5506ec3 100755
--- a/conf/turnkey.d/webmin-theme
+++ b/conf/turnkey.d/webmin-theme
@@ -1,12 +1,12 @@
 #!/bin/sh -e
-
 set ${WEBMIN_THEME:=authentic-theme}
-
 CONF_DIR=/etc/webmin
 LOGO_DIR=$CONF_DIR/$WEBMIN_THEME
-
 echo "theme=$WEBMIN_THEME" >> $CONF_DIR/config
 echo "preroot=$WEBMIN_THEME" >> $CONF_DIR/miniserv.conf
-
-mv $LOGO_DIR/tkl-logo-white.png $LOGO_DIR/logo.png
-mv $LOGO_DIR/tkl-logo-black.png $LOGO_DIR/logo_welcome.png
+if [ -f $LOGO_DIR/tkl-logo-white.png ]; then
+    mv $LOGO_DIR/tkl-logo-white.png $LOGO_DIR/logo.png
+    mv $LOGO_DIR/tkl-logo-black.png $LOGO_DIR/logo_welcome.png
+else
+    echo "TKL logos not found in overlay, skipping webmin theme logos"
+fi
diff --git a/plans/turnkey/postgresql b/plans/turnkey/postgresql
new file mode 100644
index 00000000..76000169
--- /dev/null
+++ b/plans/turnkey/postgresql
@@ -0,0 +1,2 @@
+postgresql
+webmin-postgresql

From 4ad80fd9d34ea2bc6f95f562ddb8e619e7c363c5 Mon Sep 17 00:00:00 2001
From: PopSolutions <sysadmin@pop.coop>
Date: Sat, 21 Mar 2026 04:18:18 +0000
Subject: [PATCH 2/7] feat: TurnKey Linux v19 Trixie migration fixes

- plans/turnkey/base: add libsocket6-perl + libio-socket-ssl-perl (IPv6 Webmin)
- plans/turnkey/base: uncomment tklbam (migrated to Python 3.13)
- conf/turnkey.d/webmin-conf: enable ipv6=1 by default
- overlays/turnkey.d/networking/etc/gai.conf: prefer IPv4 for external connections

Tested: Built turnkey-core v19 ISO (406MB), LXC container running with
Webmin on IPv4+IPv6, SSH, systemd, Python 3.13, kernel 6.12.
---
 conf/turnkey.d/confconsole-autorun         | 20 ++++++++++++++------
 conf/turnkey.d/etckeeper                   |  1 +
 conf/turnkey.d/webmin-conf                 |  1 +
 overlays/turnkey.d/networking/etc/gai.conf |  2 ++
 plans/turnkey/base                         |  6 +++++-
 5 files changed, 23 insertions(+), 7 deletions(-)
 create mode 100644 overlays/turnkey.d/networking/etc/gai.conf

diff --git a/conf/turnkey.d/confconsole-autorun b/conf/turnkey.d/confconsole-autorun
index c6cca122..4f3c0f15 100755
--- a/conf/turnkey.d/confconsole-autorun
+++ b/conf/turnkey.d/confconsole-autorun
@@ -2,12 +2,20 @@
 
 # copy in confconsole auto start file
 mkdir -p /root/.bashrc.d/
-cp /usr/share/confconsole/autostart/confconsole-auto \
-    /root/.bashrc.d/confconsole-auto
-# should already be executable, but just in case
-chmod +x /root/.bashrc.d/confconsole-auto
+if [ -f /usr/share/confconsole/autostart/confconsole-auto ]; then
+    cp /usr/share/confconsole/autostart/confconsole-auto \
+        /root/.bashrc.d/confconsole-auto
+    # should already be executable, but just in case
+    chmod +x /root/.bashrc.d/confconsole-auto
+else
+    echo "Warning: confconsole-auto file not found, skipping copy"
+fi
 
 # autostart "once"
 CONF=/etc/confconsole/confconsole.conf
-sed -i "s|^#autostart|autostart|g" $CONF
-sed -i "s|^autostart.*|autostart once|g" $CONF
+if [ -f "$CONF" ]; then
+    sed -i "s|^#autostart|autostart|g" $CONF
+    sed -i "s|^autostart.*|autostart once|g" $CONF
+else
+    echo "Warning: $CONF not found, skipping autostart configuration"
+fi
diff --git a/conf/turnkey.d/etckeeper b/conf/turnkey.d/etckeeper
index 2b030140..b17da06f 100755
--- a/conf/turnkey.d/etckeeper
+++ b/conf/turnkey.d/etckeeper
@@ -2,5 +2,6 @@
 # un-initialize etckeeper
 
 echo "inithooks.conf" >> /etc/.gitignore
+mkdir -p /etc/etckeeper/uninit.d
 etckeeper uninit -f
 
diff --git a/conf/turnkey.d/webmin-conf b/conf/turnkey.d/webmin-conf
index 97b63661..4c768b9c 100755
--- a/conf/turnkey.d/webmin-conf
+++ b/conf/turnkey.d/webmin-conf
@@ -26,3 +26,4 @@ update_or_add no_tls1_1 1
 update_or_add no_tls1_2
 update_or_add extracas
 update_or_add ssl_hsts 0
+update_or_add ipv6 1
diff --git a/overlays/turnkey.d/networking/etc/gai.conf b/overlays/turnkey.d/networking/etc/gai.conf
new file mode 100644
index 00000000..8ff914b8
--- /dev/null
+++ b/overlays/turnkey.d/networking/etc/gai.conf
@@ -0,0 +1,2 @@
+# Prefer IPv4 for external connections (v19)
+precedence ::ffff:0:0/96  100
diff --git a/plans/turnkey/base b/plans/turnkey/base
index 83f3ee8f..8c5237a5 100644
--- a/plans/turnkey/base
+++ b/plans/turnkey/base
@@ -26,7 +26,7 @@ dbus
 /* seed entropy in early boot (especially useful when live booting).       */
 jitterentropy-rngd
 
-//tklbam                  /* still depends on py2 for now */
+tklbam
 
 hubdns
 inithooks
@@ -96,3 +96,7 @@ python3-requests        /* confconsole lets encrypt recommends (actually depends
 //ifndef CHROOT_ONLY
 acpi-support-base
 //endif
+
+/* IPv6 support for Webmin (v19) */
+libsocket6-perl
+libio-socket-ssl-perl

From 4c6f5c967bf9b35c6b23ac01320d5604f9cd8cc1 Mon Sep 17 00:00:00 2001
From: PopSolutions <sysadmin@pop.coop>
Date: Sun, 22 Mar 2026 08:27:44 +0000
Subject: [PATCH 3/7] fix: guard fail2ban-fixes script when fail2ban not
 installed

---
 conf/turnkey.d/fail2ban-fixes | 1 +
 1 file changed, 1 insertion(+)

diff --git a/conf/turnkey.d/fail2ban-fixes b/conf/turnkey.d/fail2ban-fixes
index 9c545f8c..dec071bd 100755
--- a/conf/turnkey.d/fail2ban-fixes
+++ b/conf/turnkey.d/fail2ban-fixes
@@ -4,6 +4,7 @@
 # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024305
 
 CONF=/etc/fail2ban/fail2ban.conf
+[ -f "$CONF" ] || exit 0
 if ! grep -q '^allowipv6' $CONF; then
     sed -i '\|^\[Definition\]|a \\nallowipv6 = auto' $CONF
 fi

From 02910e7112df8e2fd7e1bc85c7b82c1e8a606c77 Mon Sep 17 00:00:00 2001
From: PopSolutions <sysadmin@pop.coop>
Date: Sun, 22 Mar 2026 08:51:23 +0000
Subject: [PATCH 4/7] fix: add locales to base plan (no longer pulled as
 dependency in Trixie)

---
 plans/turnkey/base | 1 +
 1 file changed, 1 insertion(+)

diff --git a/plans/turnkey/base b/plans/turnkey/base
index 8c5237a5..3f1afd72 100644
--- a/plans/turnkey/base
+++ b/plans/turnkey/base
@@ -41,6 +41,7 @@ etckeeper
 git
 
 lsb-release
+locales
 localepurge
 man-db
 screen

From 07d32fb7d1f96a15caa20de167d5a1ce053df945 Mon Sep 17 00:00:00 2001
From: PopSolutions <sysadmin@pop.coop>
Date: Sun, 22 Mar 2026 10:12:42 +0000
Subject: [PATCH 5/7] fix: add mawk to base plan (resolves virtual package awk
 for Trixie)

---
 plans/turnkey/base | 1 +
 1 file changed, 1 insertion(+)

diff --git a/plans/turnkey/base b/plans/turnkey/base
index 3f1afd72..3033dfae 100644
--- a/plans/turnkey/base
+++ b/plans/turnkey/base
@@ -43,6 +43,7 @@ git
 lsb-release
 locales
 localepurge
+mawk
 man-db
 screen
 dtach

From abb551671df1d5c2832fa418f3c4c11e2562fa17 Mon Sep 17 00:00:00 2001
From: PopSolutions <sysadmin@pop.coop>
Date: Tue, 24 Mar 2026 13:40:45 +0000
Subject: [PATCH 6/7] Replace udhcpc with dhcpcd for dual-stack DHCPv4/DHCPv6
 support

- Switch from udhcpc (IPv4-only) to dhcpcd (dual-stack v4+v6)
- Add inet6 dhcp stanzas to interfaces overlay for eth0 and eth1
- Remove udhcpc-fix overlay (resolvconf integration handled natively by dhcpcd)
- Mask dhcpcd.service daemon to prevent conflict with ifupdown
  (ifupdown invokes dhcpcd on-demand via ifup/ifdown)

Tested: ifupdown 0.8.44 (Trixie) natively supports dhcpcd-base.
With daemon masked, ifup eth0 successfully obtains both DHCPv4 and
DHCPv6 (SLAAC) addresses using a single package.

This enables dual-stack IPv4+IPv6 out of the box for all TKL v19
appliances without breaking confconsole/ifupdown integration.
---
 .../etc/systemd/system/dhcpcd.service         |  1 +
 .../interfaces/etc/network/interfaces         |  2 +
 .../udhcpc-fix/etc/udhcpc/default.script      | 67 -------------------
 plans/net                                     |  2 +-
 4 files changed, 4 insertions(+), 68 deletions(-)
 create mode 120000 overlays/turnkey.d/dhcpcd-noauto/etc/systemd/system/dhcpcd.service
 delete mode 100755 overlays/turnkey.d/udhcpc-fix/etc/udhcpc/default.script

diff --git a/overlays/turnkey.d/dhcpcd-noauto/etc/systemd/system/dhcpcd.service b/overlays/turnkey.d/dhcpcd-noauto/etc/systemd/system/dhcpcd.service
new file mode 120000
index 00000000..dc1dc0cd
--- /dev/null
+++ b/overlays/turnkey.d/dhcpcd-noauto/etc/systemd/system/dhcpcd.service
@@ -0,0 +1 @@
+/dev/null
\ No newline at end of file
diff --git a/overlays/turnkey.d/interfaces/etc/network/interfaces b/overlays/turnkey.d/interfaces/etc/network/interfaces
index 50435040..ba3b9902 100644
--- a/overlays/turnkey.d/interfaces/etc/network/interfaces
+++ b/overlays/turnkey.d/interfaces/etc/network/interfaces
@@ -6,8 +6,10 @@ iface lo inet loopback
 
 auto eth0
 iface eth0 inet dhcp
+iface eth0 inet6 dhcp
  hostname _UNCONFIGURED_
 
 allow-hotplug eth1
 iface eth1 inet dhcp
+iface eth1 inet6 dhcp
  hostname _UNCONFIGURED_
diff --git a/overlays/turnkey.d/udhcpc-fix/etc/udhcpc/default.script b/overlays/turnkey.d/udhcpc-fix/etc/udhcpc/default.script
deleted file mode 100755
index a9a3e977..00000000
--- a/overlays/turnkey.d/udhcpc-fix/etc/udhcpc/default.script
+++ /dev/null
@@ -1,67 +0,0 @@
-#!/bin/sh
-# Busybox udhcpc dispatcher script. Copyright (C) 2009 by Axel Beckert.
-#
-# Based on the busybox example scripts and the old udhcp source
-# package default.* scripts.
-
-RESOLV_CONF="/etc/resolv.conf"
-
-case $1 in
-    bound|renew)
-    [ -n "$broadcast" ] && BROADCAST="broadcast $broadcast"
-    [ -n "$subnet" ] && NETMASK="netmask $subnet"
-
-    /sbin/ifconfig $interface $ip $BROADCAST $NETMASK
-
-    if [ -n "$router" ]; then
-        echo "$0: Resetting default routes"
-        while /sbin/route del default gw 0.0.0.0 dev $interface; do :; done
-
-        metric=0
-        for i in $router; do
-        if [ "$subnet" = "255.255.255.255" ]; then
-            /sbin/ip route add default via $i dev $interface metric $metric onlink
-        else
-            /sbin/ip route add default via $i dev $interface metric $metric
-        fi
-        metric=$(($metric + 1))
-        done
-    fi
-
-    # Update resolver configuration file
-    R=""
-    [ -n "$domain" ] && R="domain $domain
-"
-    for i in $dns; do
-        echo "$0: Adding DNS $i"
-        R="${R}nameserver $i
-"
-    done
-
-    if [ -x /sbin/resolvconf ]; then
-        echo -n "$R" | resolvconf -a "${interface}.udhcpc"
-    else
-        echo -n "$R" > "$RESOLV_CONF"
-    fi
-    ;;
-
-    deconfig)
-    if [ -x /sbin/resolvconf ]; then
-        resolvconf -d "${interface}.udhcpc"
-    fi
-    /sbin/ifconfig $interface 0.0.0.0
-    ;;
-
-    leasefail)
-    echo "$0: Lease failed: $message"
-    ;;
-
-    nak)
-    echo "$0: Received a NAK: $message"
-    ;;
-
-    *)
-    echo "$0: Unknown udhcpc command: $1";
-    exit 1;
-    ;;
-esac
diff --git a/plans/net b/plans/net
index 9cf9fdf0..a376eba7 100644
--- a/plans/net
+++ b/plans/net
@@ -4,6 +4,6 @@ bind9-host           # Version of 'host' bundled with BIND 9.X
 netbase              # Basic TCP/IP networking system
 net-tools            # The NET-3 networking toolkit
 iproute2             # networking and traffic control tools
-udhcpc               # very small DHCP client
+dhcpcd               # Also very small DHCPv4 and DHCPv6 client
 traceroute           # Traces the route taken by packets over a tcp/ip network
 iputils-ping         # Tools to test the reachability of network hosts

From e34762f2421d58dc13eb7e48a5c6291d61151a78 Mon Sep 17 00:00:00 2001
From: PopSolutions <sysadmin@pop.coop>
Date: Tue, 24 Mar 2026 21:04:43 +0000
Subject: [PATCH 7/7] fix: enable apache-ssl conf script for all Apache
 appliances

The apache-ssl conf script (which configures TLS protocol hardening,
cipher suites, default certificate paths, OCSP stapling, HSTS, and
HTTP/2) existed in common/conf/ but was never invoked by any .mk file.

This caused all Apache+SSL appliances on Trixie to start with
SSLEngine on but no SSLCertificateFile, resulting in fatal mod_ssl
errors on boot.

Add apache-ssl to apache.mk COMMON_CONF so it runs automatically
for every appliance that includes Apache.
---
 mk/turnkey/apache.mk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mk/turnkey/apache.mk b/mk/turnkey/apache.mk
index 6902c022..a5996edb 100644
--- a/mk/turnkey/apache.mk
+++ b/mk/turnkey/apache.mk
@@ -1,2 +1,2 @@
 COMMON_OVERLAYS += apache
-COMMON_CONF += apache-vhost apache-headers apache-security
+COMMON_CONF += apache-vhost apache-headers apache-security apache-ssl