From 56357587f9a7b413865fc23d035c67338bf1deb6 Mon Sep 17 00:00:00 2001
From: Stefan Davis <nafets.sivad@gmail.com>
Date: Sun, 8 Feb 2026 22:52:17 +0000
Subject: [PATCH 1/3] fix builds and move NO_PROXY to makefiles

---
 conf/bootstrap_apt | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/conf/bootstrap_apt b/conf/bootstrap_apt
index e68dab98..72ea1d1e 100755
--- a/conf/bootstrap_apt
+++ b/conf/bootstrap_apt
@@ -1,4 +1,4 @@
-#!/bin/bash -e
+#!/bin/bash -ex
 
 # create apt sources
 # environment variables:
@@ -26,9 +26,6 @@
 #       - if not the same as guest, apply relevant transition changes
 #   - NO_TURNKEY_APT_REPO <optional>:
 #       - disable TurnKey apt repos - useful during early transition
-#   - NO_PROXY <optional>:
-#       - same as APT_PROXY_OVERRIDE=disable (will override APT_PROXY_OVERRIDE
-#         if both set to different values)
 
 # Note, to install packages from backports:
 # - set 'BACKPORTS=y'; and either:
@@ -112,13 +109,13 @@ fi
 
 if [[ $deb_ver -le 10 ]] && [[ "$distro" == 'debian' ]]; then
     sec_repo="$CODENAME/updates"
-    PROXY_PORT=8124
+    PROXY_PORT="$(echo "$FAB_HTTPS_PROXY" | sed -En 's/.*:([0-9]+).*/\1/p')"
 elif [[ $deb_ver -ge 11 ]] || [[ "$distro" == 'ubuntu' ]]; then
     sec_repo="$CODENAME-security"
     PROXY_PORT=3128
 fi
 
-if [[ "${APT_PROXY_OVERRIDE,,}" == "disable" ]] || [[ -n "$NO_PROXY" ]]; then
+if [[ "${APT_PROXY_OVERRIDE,,}" == "disable" ]]; then
     PROXY_PORT=
 elif [[ -n $APT_PROXY_OVERRIDE ]]; then
     PROXY_PORT=$APT_PROXY_OVERRIDE

From f6aeb859fe68b939f188f5f4342796bc509c30e7 Mon Sep 17 00:00:00 2001
From: Stefan Davis <nafets.sivad@gmail.com>
Date: Thu, 12 Mar 2026 05:12:01 +0000
Subject: [PATCH 2/3] update tkl bashlib

---
 .../usr/local/src/tkl-bashlib/init.sh         |  2 +-
 .../local/src/tkl-bashlib/tkl_download.bash   | 23 +++++++++++++++++++
 2 files changed, 24 insertions(+), 1 deletion(-)
 create mode 100644 overlays/turnkey.d/tkl-bashlib/usr/local/src/tkl-bashlib/tkl_download.bash

diff --git a/overlays/turnkey.d/tkl-bashlib/usr/local/src/tkl-bashlib/init.sh b/overlays/turnkey.d/tkl-bashlib/usr/local/src/tkl-bashlib/init.sh
index 2feb2d42..f64f5672 100644
--- a/overlays/turnkey.d/tkl-bashlib/usr/local/src/tkl-bashlib/init.sh
+++ b/overlays/turnkey.d/tkl-bashlib/usr/local/src/tkl-bashlib/init.sh
@@ -25,7 +25,7 @@ export DEBIAN_FRONTEND=noninteractive
 
 # functions for errors and warnings
 fatal() { echo "FATAL: ${@}" >&2; exit 1; }
-warn() { echo "WARN: ${@}" >&2; exit 1; }
+warn() { echo "WARN: ${@}" >&2; }
 
 # check for integers
 # if any elements of $@ are _not_ integers - will return 1
diff --git a/overlays/turnkey.d/tkl-bashlib/usr/local/src/tkl-bashlib/tkl_download.bash b/overlays/turnkey.d/tkl-bashlib/usr/local/src/tkl-bashlib/tkl_download.bash
new file mode 100644
index 00000000..9bbc32c8
--- /dev/null
+++ b/overlays/turnkey.d/tkl-bashlib/usr/local/src/tkl-bashlib/tkl_download.bash
@@ -0,0 +1,23 @@
+# (c) 2026 - TurnKey GNU/Linux - all rights reserved
+#
+# This script is part of TKLDev BashLib.
+#
+# The source can be located locally on TKLDev:
+#   ${FAB_PATH}/common/overlays/turnkey.d/tkl-bashlib
+#
+# To use it within a conf script, first source the base 'init' script:
+#
+#   source /usr/local/src/tkl-bashlib/init
+#
+# For more info, including licence, please see the README.rst (should be in
+# the same dir as this file).
+
+dl() {
+	cd "$2"
+	if [[ "$FAB_HTTP_PROXY" ]]; then
+		http_proxy="$FAB_HTTP_PROXY" https_proxy="$FAB_HTTPS_PROXY" wget "$1"
+	else
+		wget "$1"
+	fi
+	cd -
+}

From cc3881ac333df52c8f30cfac89bfb1f38426f0c9 Mon Sep 17 00:00:00 2001
From: Stefan Davis <nafets.sivad@gmail.com>
Date: Thu, 12 Mar 2026 05:13:32 +0000
Subject: [PATCH 3/3] apache/mysql fixes & updates

---
 conf/apache-ssl               |  3 ++-
 conf/mysql                    | 14 +++-----------
 conf/turnkey.d/zz-ssl-ciphers | 10 ++--------
 mk/turnkey/apache.mk          |  2 +-
 4 files changed, 8 insertions(+), 21 deletions(-)

diff --git a/conf/apache-ssl b/conf/apache-ssl
index ab9627a0..97e0e115 100755
--- a/conf/apache-ssl
+++ b/conf/apache-ssl
@@ -10,7 +10,7 @@ if [[ -f "$CONF" ]]; then
     ssl_protocol="# Hardened TKL default\nSSLProtocol -all +TLSv1.2 +TLSv1.3"
     sed -Ei "\|^SSLProtocol| s|^(.*)|#\1\n$ssl_protocol|" "$CONF"
 
-    cipher_suites=$(cat <<EOF
+    cipher_suites=$(cat <<'EOF' | sed ':a;N;s/\n/\\n/g;ta'
 # Explict Cipher suites recommended by Mozilla
 # https://ssl-config.mozilla.org/#server=apache&version=2.4.65&config=intermediate&openssl=3.5.1&guideline=5.7
 # (updated by TurnKey "common/conf/turnkey.d/zz-ssl-ciphers" script)
@@ -18,6 +18,7 @@ SSLCipherSuite ZZ_SSL_CIPHERS
 EOF
     )
     sed -Ei "\|^SSLCipherSuite| s|^(.*)|#\1\n$cipher_suites|" "$CONF"
+    sed -i "s/ZZ_SSL_CIPHERS/$(cat /tmp/ZZ_SSL_CIPHERS)/g" "$CONF"
     
     cat >> "$CONF" <<EOF
 
diff --git a/conf/mysql b/conf/mysql
index 6359893e..aaa9626a 100755
--- a/conf/mysql
+++ b/conf/mysql
@@ -1,14 +1,6 @@
 #!/bin/bash -e
 
-# download mysqltuner
-dl() {
-    if [[ "$FAB_HTTP_PROXY" ]]; then
-       PROXY=(--proxy "$FAB_HTTP_PROXY")
-    fi
-    cd "$2"
-    curl -L -f -O "${PROXY[@]}" "$1"
-    cd -
-}
+. /usr/local/src/tkl-bashlib/init.sh
 
 # Install mysqltuner at "latest" tag (via gh_releases) and from core dev's
 # repo[1] - rather than separate "org" repo[2]
@@ -16,9 +8,9 @@ dl() {
 # [1] https://github.com/jmrenouard/MySQLTuner-perl
 # [2] https://github.com/major/MySQLTuner-perl
 BIN=/usr/local/bin
-VERSION=$(gh_releases jmrenouard/MySQLTuner-perl | sort -V | tail -1)
+VERSION=master
 REPO="jmrenouard/MySQLTuner-perl"
-URL="https://raw.githubusercontent.com/$REPO/refs/tags/$VERSION"
+URL="https://raw.githubusercontent.com/$REPO/refs/heads/$VERSION"
 dl "$URL/mysqltuner.pl" $BIN
 mv "$BIN/mysqltuner.pl" $BIN/mysqltuner
 chmod +x "$BIN/mysqltuner"
diff --git a/conf/turnkey.d/zz-ssl-ciphers b/conf/turnkey.d/zz-ssl-ciphers
index 4d274ce0..e76a6594 100755
--- a/conf/turnkey.d/zz-ssl-ciphers
+++ b/conf/turnkey.d/zz-ssl-ciphers
@@ -30,14 +30,6 @@ if [[ -f "$CONF" ]]; then
     sed -i "/tls_medium_cipherlist/ s|ZZ_SSL_CIPHERS|$SECURE_CIPHER_LIST|" $CONF
 fi
 
-# Apache2
-CONF="/etc/apache2/mods-available/ssl.conf"
-if [[ -f "$CONF" ]]; then
-    sed -i "s|^\(\s*SSLCipherSuite\s\+\).*$|\1${SECURE_CIPHER_LIST}|g" $CONF
-    a2enmod ssl
-    a2enconf security
-fi
-
 # Nginx
 CONF="/etc/nginx/snippets/ssl.conf"
 if [[ -f "$CONF" ]]; then
@@ -69,3 +61,5 @@ if [ -d "$PUREFTPDDIR" ]; then
     echo 1 > ${PUREFTPDDIR}/TLS
     echo HIGH:\!TLSv1:\!TLSv1.1:\!SSLv2:\!SSLv3:${SECURE_CIPHER_LIST} > ${PUREFTPDDIR}/TLSCipherSuite
 fi
+
+echo "$SECURE_CIPHER_LIST" > /tmp/ZZ_SSL_CIPHERS
diff --git a/mk/turnkey/apache.mk b/mk/turnkey/apache.mk
index 6902c022..a5996edb 100644
--- a/mk/turnkey/apache.mk
+++ b/mk/turnkey/apache.mk
@@ -1,2 +1,2 @@
 COMMON_OVERLAYS += apache
-COMMON_CONF += apache-vhost apache-headers apache-security
+COMMON_CONF += apache-vhost apache-headers apache-security apache-ssl