From f8f8192e36addfa08d93efb81b890a17068ca600 Mon Sep 17 00:00:00 2001
From: navigator <m@pop.coop>
Date: Fri, 20 Mar 2026 15:58:41 +0000
Subject: [PATCH 1/5] WIP: idempotency fixes and postgresql plan for 19.x-dev

---
 conf/turnkey.d/dpkg-vendor     |  2 +-
 conf/turnkey.d/fail2ban-fixes  |  2 +-
 conf/turnkey.d/monit           |  2 +-
 conf/turnkey.d/roothome        |  2 +-
 conf/turnkey.d/webmin-history  |  9 +++++----
 conf/turnkey.d/webmin-lets-enc | 12 +++++++-----
 conf/turnkey.d/webmin-theme    | 12 ++++++------
 plans/turnkey/postgresql       |  2 ++
 8 files changed, 24 insertions(+), 19 deletions(-)
 create mode 100644 plans/turnkey/postgresql

diff --git a/conf/turnkey.d/dpkg-vendor b/conf/turnkey.d/dpkg-vendor
index 559fb87d..709d8439 100755
--- a/conf/turnkey.d/dpkg-vendor
+++ b/conf/turnkey.d/dpkg-vendor
@@ -4,4 +4,4 @@
 # returns the correct string
 
 rm -rf /etc/dpkg/origins/default
-ln -s /etc/dpkg/origins/TurnKey /etc/dpkg/origins/default
+ln -sf /etc/dpkg/origins/TurnKey /etc/dpkg/origins/default
diff --git a/conf/turnkey.d/fail2ban-fixes b/conf/turnkey.d/fail2ban-fixes
index 83612bc0..9c545f8c 100755
--- a/conf/turnkey.d/fail2ban-fixes
+++ b/conf/turnkey.d/fail2ban-fixes
@@ -27,7 +27,7 @@ cat > fail2ban.patch <<EOF
  cmnfailre-failed-pub-ignore =
 
 EOF
-git apply fail2ban.patch
+git apply --check fail2ban.patch 2>/dev/null && git apply fail2ban.patch || echo "patch already applied, skipping"
 rm fail2ban.patch
 
 cat > /etc/cron.weekly/fail2ban <<EOF
diff --git a/conf/turnkey.d/monit b/conf/turnkey.d/monit
index 152f681b..0e88673a 100755
--- a/conf/turnkey.d/monit
+++ b/conf/turnkey.d/monit
@@ -1,3 +1,3 @@
 #!/bin/bash
 
-ln -s /etc/monit/monitrc.d/system /etc/monit/conf.d/system
+ln -sf /etc/monit/monitrc.d/system /etc/monit/conf.d/system
diff --git a/conf/turnkey.d/roothome b/conf/turnkey.d/roothome
index 6bb793ef..b8019fac 100755
--- a/conf/turnkey.d/roothome
+++ b/conf/turnkey.d/roothome
@@ -1,7 +1,7 @@
 #!/bin/bash -e
 
 # harden ssh client directories
-mkdir -m 0700 /etc/skel/.ssh
+mkdir -p -m 0700 /etc/skel/.ssh
 cp -dRn /etc/skel/.ssh /root
 
 cp /etc/skel/.bashrc /root
diff --git a/conf/turnkey.d/webmin-history b/conf/turnkey.d/webmin-history
index 6230d084..097af91b 100755
--- a/conf/turnkey.d/webmin-history
+++ b/conf/turnkey.d/webmin-history
@@ -1,5 +1,6 @@
 #!/bin/sh -e
-
-mkdir -p /etc/webmin/system-status/history
-mv /etc/webmin/system-status/history /var/webmin/
-ln -s /var/webmin/history /etc/webmin/system-status/history 
+if [ ! -L /etc/webmin/system-status/history ]; then
+    mkdir -p /etc/webmin/system-status/history
+    mv /etc/webmin/system-status/history /var/webmin/
+fi
+ln -sf /var/webmin/history /etc/webmin/system-status/history
diff --git a/conf/turnkey.d/webmin-lets-enc b/conf/turnkey.d/webmin-lets-enc
index a19d84ed..d866bd62 100755
--- a/conf/turnkey.d/webmin-lets-enc
+++ b/conf/turnkey.d/webmin-lets-enc
@@ -1,7 +1,9 @@
 #/bin/bash -e
-
 # Disable Webmin Let's Encrypt config - via patch
-
-cd /usr/share/webmin/webmin
-git apply /usr/local/src/webmin.patch
-rm /usr/local/src/webmin.patch
+if [ -f /usr/local/src/webmin.patch ]; then
+    cd /usr/share/webmin/webmin
+    git apply /usr/local/src/webmin.patch
+    rm /usr/local/src/webmin.patch
+else
+    echo "webmin.patch not found, skipping (may already be applied)"
+fi
diff --git a/conf/turnkey.d/webmin-theme b/conf/turnkey.d/webmin-theme
index fdb4c8d2..d5506ec3 100755
--- a/conf/turnkey.d/webmin-theme
+++ b/conf/turnkey.d/webmin-theme
@@ -1,12 +1,12 @@
 #!/bin/sh -e
-
 set ${WEBMIN_THEME:=authentic-theme}
-
 CONF_DIR=/etc/webmin
 LOGO_DIR=$CONF_DIR/$WEBMIN_THEME
-
 echo "theme=$WEBMIN_THEME" >> $CONF_DIR/config
 echo "preroot=$WEBMIN_THEME" >> $CONF_DIR/miniserv.conf
-
-mv $LOGO_DIR/tkl-logo-white.png $LOGO_DIR/logo.png
-mv $LOGO_DIR/tkl-logo-black.png $LOGO_DIR/logo_welcome.png
+if [ -f $LOGO_DIR/tkl-logo-white.png ]; then
+    mv $LOGO_DIR/tkl-logo-white.png $LOGO_DIR/logo.png
+    mv $LOGO_DIR/tkl-logo-black.png $LOGO_DIR/logo_welcome.png
+else
+    echo "TKL logos not found in overlay, skipping webmin theme logos"
+fi
diff --git a/plans/turnkey/postgresql b/plans/turnkey/postgresql
new file mode 100644
index 00000000..76000169
--- /dev/null
+++ b/plans/turnkey/postgresql
@@ -0,0 +1,2 @@
+postgresql
+webmin-postgresql

From c3ab0545f8888868339ef12bd99ef6effdb38020 Mon Sep 17 00:00:00 2001
From: PopSolutions <sysadmin@pop.coop>
Date: Sat, 21 Mar 2026 04:18:18 +0000
Subject: [PATCH 2/5] feat: TurnKey Linux v19 Trixie migration fixes

- plans/turnkey/base: add libsocket6-perl + libio-socket-ssl-perl (IPv6 Webmin)
- plans/turnkey/base: uncomment tklbam (migrated to Python 3.13)
- conf/turnkey.d/webmin-conf: enable ipv6=1 by default
- overlays/turnkey.d/networking/etc/gai.conf: prefer IPv4 for external connections

Tested: Built turnkey-core v19 ISO (406MB), LXC container running with
Webmin on IPv4+IPv6, SSH, systemd, Python 3.13, kernel 6.12.
---
 conf/turnkey.d/confconsole-autorun         | 20 ++++++++++++++------
 conf/turnkey.d/etckeeper                   |  1 +
 conf/turnkey.d/webmin-conf                 |  1 +
 overlays/turnkey.d/networking/etc/gai.conf |  2 ++
 4 files changed, 18 insertions(+), 6 deletions(-)
 create mode 100644 overlays/turnkey.d/networking/etc/gai.conf

diff --git a/conf/turnkey.d/confconsole-autorun b/conf/turnkey.d/confconsole-autorun
index c6cca122..4f3c0f15 100755
--- a/conf/turnkey.d/confconsole-autorun
+++ b/conf/turnkey.d/confconsole-autorun
@@ -2,12 +2,20 @@
 
 # copy in confconsole auto start file
 mkdir -p /root/.bashrc.d/
-cp /usr/share/confconsole/autostart/confconsole-auto \
-    /root/.bashrc.d/confconsole-auto
-# should already be executable, but just in case
-chmod +x /root/.bashrc.d/confconsole-auto
+if [ -f /usr/share/confconsole/autostart/confconsole-auto ]; then
+    cp /usr/share/confconsole/autostart/confconsole-auto \
+        /root/.bashrc.d/confconsole-auto
+    # should already be executable, but just in case
+    chmod +x /root/.bashrc.d/confconsole-auto
+else
+    echo "Warning: confconsole-auto file not found, skipping copy"
+fi
 
 # autostart "once"
 CONF=/etc/confconsole/confconsole.conf
-sed -i "s|^#autostart|autostart|g" $CONF
-sed -i "s|^autostart.*|autostart once|g" $CONF
+if [ -f "$CONF" ]; then
+    sed -i "s|^#autostart|autostart|g" $CONF
+    sed -i "s|^autostart.*|autostart once|g" $CONF
+else
+    echo "Warning: $CONF not found, skipping autostart configuration"
+fi
diff --git a/conf/turnkey.d/etckeeper b/conf/turnkey.d/etckeeper
index 2b030140..b17da06f 100755
--- a/conf/turnkey.d/etckeeper
+++ b/conf/turnkey.d/etckeeper
@@ -2,5 +2,6 @@
 # un-initialize etckeeper
 
 echo "inithooks.conf" >> /etc/.gitignore
+mkdir -p /etc/etckeeper/uninit.d
 etckeeper uninit -f
 
diff --git a/conf/turnkey.d/webmin-conf b/conf/turnkey.d/webmin-conf
index 97b63661..4c768b9c 100755
--- a/conf/turnkey.d/webmin-conf
+++ b/conf/turnkey.d/webmin-conf
@@ -26,3 +26,4 @@ update_or_add no_tls1_1 1
 update_or_add no_tls1_2
 update_or_add extracas
 update_or_add ssl_hsts 0
+update_or_add ipv6 1
diff --git a/overlays/turnkey.d/networking/etc/gai.conf b/overlays/turnkey.d/networking/etc/gai.conf
new file mode 100644
index 00000000..8ff914b8
--- /dev/null
+++ b/overlays/turnkey.d/networking/etc/gai.conf
@@ -0,0 +1,2 @@
+# Prefer IPv4 for external connections (v19)
+precedence ::ffff:0:0/96  100

From c6bf2b78b795bdfc53fec848f080d8f9c63ab56c Mon Sep 17 00:00:00 2001
From: PopSolutions <sysadmin@pop.coop>
Date: Sun, 22 Mar 2026 08:27:44 +0000
Subject: [PATCH 3/5] fix: guard fail2ban-fixes script when fail2ban not
 installed

---
 conf/turnkey.d/fail2ban-fixes | 1 +
 1 file changed, 1 insertion(+)

diff --git a/conf/turnkey.d/fail2ban-fixes b/conf/turnkey.d/fail2ban-fixes
index 9c545f8c..dec071bd 100755
--- a/conf/turnkey.d/fail2ban-fixes
+++ b/conf/turnkey.d/fail2ban-fixes
@@ -4,6 +4,7 @@
 # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024305
 
 CONF=/etc/fail2ban/fail2ban.conf
+[ -f "$CONF" ] || exit 0
 if ! grep -q '^allowipv6' $CONF; then
     sed -i '\|^\[Definition\]|a \\nallowipv6 = auto' $CONF
 fi

From 7bee7f036913b8ff3e655a74f7bc7818d00591e6 Mon Sep 17 00:00:00 2001
From: PopSolutions <sysadmin@pop.coop>
Date: Sun, 22 Mar 2026 08:51:23 +0000
Subject: [PATCH 4/5] fix: add locales to base plan (no longer pulled as
 dependency in Trixie)

---
 plans/turnkey/base | 1 +
 1 file changed, 1 insertion(+)

diff --git a/plans/turnkey/base b/plans/turnkey/base
index 39d0bf93..0a5420f6 100644
--- a/plans/turnkey/base
+++ b/plans/turnkey/base
@@ -50,6 +50,7 @@ etckeeper
 git
 
 lsb-release
+locales
 localepurge
 man-db
 screen

From 1bbe9d6a101e983226d619226a777a6fb2cd4db1 Mon Sep 17 00:00:00 2001
From: PopSolutions <sysadmin@pop.coop>
Date: Sun, 22 Mar 2026 10:12:42 +0000
Subject: [PATCH 5/5] fix: add mawk to base plan (resolves virtual package awk
 for Trixie)

---
 plans/turnkey/base | 1 +
 1 file changed, 1 insertion(+)

diff --git a/plans/turnkey/base b/plans/turnkey/base
index 0a5420f6..e805ed45 100644
--- a/plans/turnkey/base
+++ b/plans/turnkey/base
@@ -52,6 +52,7 @@ git
 lsb-release
 locales
 localepurge
+mawk
 man-db
 screen
 dtach