diff --git a/.mikaela/gpg.conf b/.mikaela/gpg.conf index ed05abae..80ba96bb 100644 --- a/.mikaela/gpg.conf +++ b/.mikaela/gpg.conf @@ -5,7 +5,7 @@ # This file is free software; as a special exception the author gives # unlimited permission to copy and/or distribute it, with or without # modifications, as long as this notice is preserved. -# +# # This file is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY, to the extent permitted by law; without even the # implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. diff --git a/.mikaela/pastebinit.xml b/.mikaela/pastebinit.xml index 1d51f03d..d9d3c544 100644 --- a/.mikaela/pastebinit.xml +++ b/.mikaela/pastebinit.xml @@ -1,6 +1,6 @@ - - http://sprunge.us - Mikaela - mikaela@kapsi.fi - text + + http://sprunge.us + Mikaela + mikaela@kapsi.fi + text diff --git a/LICENSE b/LICENSE index ea890afb..086d3992 100644 --- a/LICENSE +++ b/LICENSE @@ -1,4 +1,4 @@ -Copyright (c) . +Copyright (c) . Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: diff --git a/README.md b/README.md index c5ef707d..85095d4d 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ repository as dotfiles, but historical reasons... # Directories explained - .mikaela — files that most likely aren't suitable for places where other - people than me have access too + people than me have access too - Windows — files releated to Windows - conf — config files like .tmux.conf - etc — /etc/ diff --git a/Windows/.gitattributes b/Windows/.gitattributes index 0c42f3cc..20743d22 100644 --- a/Windows/.gitattributes +++ b/Windows/.gitattributes @@ -1 +1 @@ -* text=auto eol=crlf +* text=auto eol=crlf diff --git a/Windows/10to11/README.md b/Windows/10to11/README.md index b2f0e7a2..2eaee68c 100644 --- a/Windows/10to11/README.md +++ b/Windows/10to11/README.md @@ -22,11 +22,11 @@ I think the first method is likely the best, but I cannot rule these working on another system out yet. They didn't work on my first system tried. - `00-AllowUpgradesWithUnsupportedTPMOrCPU.reg` - the official Microsoft - recommendation and the only one that should be used. If after reboot - nothing happens, maybe try the rest rebooting every failure. - - https://support.microsoft.com/windows/windows-11-n-asentaminen-e0edbbfb-cfc5-4011-868b-2ce77ac7c70e + recommendation and the only one that should be used. If after reboot + nothing happens, maybe try the rest rebooting every failure. + - https://support.microsoft.com/windows/windows-11-n-asentaminen-e0edbbfb-cfc5-4011-868b-2ce77ac7c70e - `01-LabConfig.reg` - widely reported to work - `01-Setup.reg` - ^ - `02-DevRing.reg` - after joining the Insider program, this should enforce - joining to Dev ring which should offer Windows 11 instantly. It may be - advisable to leave after successful update. + joining to Dev ring which should offer Windows 11 instantly. It may be + advisable to leave after successful update. diff --git a/Windows/CVE-2018-3639.reg b/Windows/CVE-2018-3639.reg index 6aefbda0..20aa52f8 100755 Binary files a/Windows/CVE-2018-3639.reg and b/Windows/CVE-2018-3639.reg differ diff --git a/Windows/DoH/README.md b/Windows/DoH/README.md index afd759bb..a3e52d34 100644 --- a/Windows/DoH/README.md +++ b/Windows/DoH/README.md @@ -3,17 +3,17 @@ Requires Windows 11. - `GPO-EnforceDoH.reg` enables the group policy to require DoH. However it - didn't seem to work for me or it allowed me to set the DNS server to not - use DoH. + didn't seem to work for me or it allowed me to set the DNS server to not + use DoH. - `DohWellKnownServers` adds DoH support for multiple IPv4 & IPv6 addresses - that Windows 11 isn't shipping by default, currently: - - Adguard - - Cloudflare antimalware - - DNS0 (& Zero) - - Mullvad - - Mullvad Adblock - - Quad9 ECS (Windows 11 defaults include Quad9 default) + that Windows 11 isn't shipping by default, currently: + - Adguard + - Cloudflare antimalware + - DNS0 (& Zero) + - Mullvad + - Mullvad Adblock + - Quad9 ECS (Windows 11 defaults include Quad9 default) ## Configuration @@ -21,6 +21,6 @@ Once Windows knows about the DoH servers (DohWellKnownServers.reg), DNS-over HTTPS can be enabled for: - All networks: `Windows-I (Settings) -> Network & Internet -> Advanced network settings -> WLAN -> View additional properties -> DNS Server assignment -> Edit` - - Same place for Ethernet etc. + - Same place for Ethernet etc. - Specific network: `Windows-I (Settings) -> Network & Internet -> WiFi -> Connected SSID -> DNS server assignment -> Edit` - - Note: if the all networks one is configured, there is a warning about it not being used. + - Note: if the all networks one is configured, there is a warning about it not being used. diff --git a/Windows/IPv6-no_privacy.bat b/Windows/IPv6-no_privacy.bat index 019101dc..4daab309 100644 --- a/Windows/IPv6-no_privacy.bat +++ b/Windows/IPv6-no_privacy.bat @@ -6,4 +6,4 @@ netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent netsh interface ipv6 set privacy state=disabled store=active netsh interface ipv6 set privacy state=disabled store=persistent pause -echo on \ No newline at end of file +echo on diff --git a/Windows/IPv6-no_randomization.bat b/Windows/IPv6-no_randomization.bat index 2dc49495..80b149a1 100644 --- a/Windows/IPv6-no_randomization.bat +++ b/Windows/IPv6-no_randomization.bat @@ -4,4 +4,4 @@ pause netsh interface ipv6 set global randomizeidentifiers=disabled store=active netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent pause -echo on \ No newline at end of file +echo on diff --git a/Windows/IPv6.reg.markdown b/Windows/IPv6.reg.markdown index 0e72122a..8ee008b4 100644 --- a/Windows/IPv6.reg.markdown +++ b/Windows/IPv6.reg.markdown @@ -3,6 +3,6 @@ Some kind of explaining for [IPv6.reg](IPv6.reg) like - Resolve IPv6 even without native connectivity. - Enable Teredo - - As EnterpriseClient so it also works when joined into domain. + - As EnterpriseClient so it also works when joined into domain. - Use `teredo.trex.fi` as Teredo server. This should be replaced with - something that is as near as possible. + something that is as near as possible. diff --git a/Windows/Windows.reg.markdown b/Windows/Windows.reg.markdown index 9a2d10b7..e2457bc6 100644 --- a/Windows/Windows.reg.markdown +++ b/Windows/Windows.reg.markdown @@ -9,10 +9,10 @@ Windows Registry Editor Version 5.00 - Make the file Windows Registry Editor script - Ask admins for password/PIN in UAC - - 2 would ask for yes or no, 0 disable entirely (don't do that). + - 2 would ask for yes or no, 0 disable entirely (don't do that). - prompt standard users for username and password. 2021-12-19: I don't understand this or the line below. - - The other option (1) doesn't even give them UAC prompt so you must - always login as admin to do anything. + - The other option (1) doesn't even give them UAC prompt so you must + always login as admin to do anything. ``` "dontdisplaylastusername"=dword:00000000 @@ -39,8 +39,8 @@ Windows Registry Editor Version 5.00 ``` - Sets hardware clock to UTC time (doesn't affect system clock!) - - qword for 64-bit, dword for 32-bit systems. The actual reg file has - only qword as I haven't seen 32-bit Windowses lately. + - qword for 64-bit, dword for 32-bit systems. The actual reg file has + only qword as I haven't seen 32-bit Windowses lately. ``` [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters] diff --git a/Windows/autohotkey/CapsLockToBackspace.ahk b/Windows/autohotkey/CapsLockToBackspace.ahk index 7714bbca..f8d18758 100644 --- a/Windows/autohotkey/CapsLockToBackspace.ahk +++ b/Windows/autohotkey/CapsLockToBackspace.ahk @@ -1 +1 @@ -CapsLock:: Send {BackSpace} \ No newline at end of file +CapsLock:: Send {BackSpace} diff --git a/Windows/time/README.md b/Windows/time/README.md index d509fbff..ea313fe6 100644 --- a/Windows/time/README.md +++ b/Windows/time/README.md @@ -7,16 +7,16 @@ w32tm /query /peers ``` - The list is space separated NTP servers, while I think Windows uses SNTP instead - of NTP. + of NTP. - `/resync` may sync current time, but is also required for the GUI - (Windows + I, Date & time) and following command to get aware of peers. + (Windows + I, Date & time) and following command to get aware of peers. - Shows where time is synced from and statistics. - - There is also `net time` to sync, I am unsure of the differences while - that may be blocked while the second keeps working. It may also not - show all the peers, just the primary one, while `w32tm` is more verbose - and has all of them. + - There is also `net time` to sync, I am unsure of the differences while + that may be blocked while the second keeps working. It may also not + show all the peers, just the primary one, while `w32tm` is more verbose + and has all of them. - As Windows doesn't support NTS and probably won't in near future, there is - no point in listing distant foreign servers. + no point in listing distant foreign servers. ## Variations @@ -47,14 +47,14 @@ w32tm /config /syncfromflags:manual /manualpeerlist:"time.cloudflare.com ntp1.ko - https://www.netnod.se/nts/network-time-security - https://www.vttresearch.com/fi/palvelut/suomen-aika-ntp-palvelu#julkinen - https://www.ntppool.org/use.html - - Also mentions the syntax for multiple servers, but considering this Elisa - list has so many servers I am only picking one pool address just in case - the others somehow fail. + - Also mentions the syntax for multiple servers, but considering this Elisa + list has so many servers I am only picking one pool address just in case + the others somehow fail. ## Additional reading - Above links - https://jasoncoltrin.com/2018/08/02/how-to-set-clock-time-on-ad-domain-controller-and-sync-windows-clients/ - - this file might not exist without this post, while it doesn't mention - multiple servers, uses `time.windows.com` and I am yet to actually touch - NTP on Windows Server environment. + - this file might not exist without this post, while it doesn't mention + multiple servers, uses `time.windows.com` and I am yet to actually touch + NTP on Windows Server environment. diff --git a/chmod b/chmod index cf38de0f..a3406ba3 100755 --- a/chmod +++ b/chmod @@ -1,5 +1,5 @@ #!/usr/bin/env bash -# This script removes permissions from other people than the owner to +# This script removes permissions from other people than the owner to # files/folders that they don't have access to and where they don't need # access. set -x diff --git a/conf/conky/conky.conf b/conf/conky/conky.conf index e59689d6..bb1d4069 100644 --- a/conf/conky/conky.conf +++ b/conf/conky/conky.conf @@ -19,48 +19,48 @@ the Free Software Foundation, either version 3 of the License, or This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of -MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License -along with this program. If not, see . +along with this program. If not, see . ]] conky.config = { - alignment = 'top_left', - background = true, - border_width = 1, - cpu_avg_samples = 2, - default_color = '#dedede', - default_outline_color = '#dedede', - default_shade_color = '#dedede', - draw_borders = true, - draw_graph_borders = true, - draw_outline = false, - draw_shades = false, - use_xft = true, - font = 'DejaVu Sans Mono:size=8', - gap_x = 6, - gap_y = 28, - minimum_height = 5, - minimum_width = 5, - net_avg_samples = 2, - no_buffers = true, - out_to_console = false, - out_to_stderr = false, - extra_newline = false, - own_window = true, - own_window_transparent = false, - own_window_argb_visual = true, - own_window_argb_value = 95, - own_window_class = 'Conky', - own_window_type = 'override', - stippled_borders = 0, - update_interval = 5, - uppercase = false, - use_spacer = 'none', - show_graph_scale = false, - show_graph_range = false, - double_buffer = true + alignment = 'top_left', + background = true, + border_width = 1, + cpu_avg_samples = 2, + default_color = '#dedede', + default_outline_color = '#dedede', + default_shade_color = '#dedede', + draw_borders = true, + draw_graph_borders = true, + draw_outline = false, + draw_shades = false, + use_xft = true, + font = 'DejaVu Sans Mono:size=8', + gap_x = 6, + gap_y = 28, + minimum_height = 5, + minimum_width = 5, + net_avg_samples = 2, + no_buffers = true, + out_to_console = false, + out_to_stderr = false, + extra_newline = false, + own_window = true, + own_window_transparent = false, + own_window_argb_visual = true, + own_window_argb_value = 95, + own_window_class = 'Conky', + own_window_type = 'override', + stippled_borders = 0, + update_interval = 5, + uppercase = false, + use_spacer = 'none', + show_graph_scale = false, + show_graph_range = false, + double_buffer = true } conky.text = [[ @@ -72,16 +72,16 @@ ${color grey}Frequency (in GHz):$color $freq_g ${color grey}RAM Usage:$color $mem/$memmax - $memperc% ${membar 4} ${color grey}Swap Usage:$color $swap/$swapmax - $swapperc% ${swapbar 4} ${color grey}CPU Usage:$color $cpu% ${cpubar 4} -${color grey}Processes:$color $processes ${color grey}Running:$color $running_processes +${color grey}Processes:$color $processes ${color grey}Running:$color $running_processes $hr ${color grey}File systems: - / $color${fs_used /}/${fs_size /} ${fs_bar 6 /} + / $color${fs_used /}/${fs_size /} ${fs_bar 6 /} ${color grey} /home $color${fs_used /home}/${fs_size /home} ${fs_bar 6 /} ${color grey}HDD Temperature:${color} $hddtemp °C ${color grey}Networking: - eth0 Up:$color ${upspeed eth0} ${color grey} - Down:$color ${downspeed eth0} - ${color grey}wlan0 Up:$color ${upspeed wlan0} ${color grey} - Down:$color ${downspeed wlan0} - ${color grey}yggdrasil Up:$color ${upspeed yggdrasil} ${color grey} - Down:$color ${downspeed yggdrasil} + eth0 Up:$color ${upspeed eth0} ${color grey} - Down:$color ${downspeed eth0} + ${color grey}wlan0 Up:$color ${upspeed wlan0} ${color grey} - Down:$color ${downspeed wlan0} + ${color grey}yggdrasil Up:$color ${upspeed yggdrasil} ${color grey} - Down:$color ${downspeed yggdrasil} $hr ${color grey}Sensors${color} ${execpi 60 sensors|grep °} diff --git a/conf/i3/config b/conf/i3/config index 014fb12c..c5161c0b 100644 --- a/conf/i3/config +++ b/conf/i3/config @@ -1,9 +1,9 @@ # Packages expected (just break line-length!): # Debian: i3 suckless-tools j4-dmenu-desktop gnome-screenshot i3lock sudo hibernate playerctl galculator network-manager-gnome redshift-gtk x11-xserver-utils feh rofi libnotify-bin xcompmgr konsole fonts-dejavu dbus-x11 arandr numlockx fcitx-bin fcitx-mozc conky-all flatpak apparmor-notify caffeine kdocker mumble audacious telegram-desktop steam htop kdeconnect nextcloud-client parcimonie lxqt-powermanagement kteatime hsetroot tmux # ALSA: alsa-utils apulse coreutils pnmixer -# NOTE! apulse is a wrapper and `apulse` is put in front of pulseaudio -# requiring app. See also (shell-things) rc/asoundrc for USB headset and -# similar. +# NOTE! apulse is a wrapper and `apulse` is put in front of pulseaudio +# requiring app. See also (shell-things) rc/asoundrc for USB headset and +# similar. # pulseaudio: pulseaudio-utils pasystray pulsemixer pavucontrol pulseeffects # insync: https://www.insynchq.com/downloads # Mullvad: https://mullvad.net/download @@ -15,7 +15,7 @@ # Debian theming: lxappearance gtk-chtheme qt4-qtconfig qt5ct # https://askubuntu.com/a/600946 # + ~/.xprofile specifies GTK_THEME which hopefully gets detected/understood -# by browsers etc. +# by browsers etc. # # YES! This file is a monster and there really are that many weird # packages! @@ -50,7 +50,7 @@ set $ScreenLockCmd i3lock -c 000000 -p win -f # This font is widely installed, provides lots of unicode glyphs, right-to-left # text rendering and scalability on retina/hidpi displays (thanks to pango). # NOTE! Bigger font than 8 is too big for Kincarron -# 7 is too big for Sedric with dpi scaling 144 +# 7 is too big for Sedric with dpi scaling 144 #font pango:DejaVu Sans Mono Book 7 font pango:OpenDyslexic 9 @@ -192,27 +192,27 @@ bindsym $mod+Shift+e exec "i3-nagbar -t warning -m 'You pressed the EXIT shortcu # resize window (you can also use the mouse for that) mode "resize" { - # These bindings trigger as soon as you enter the resize mode + # These bindings trigger as soon as you enter the resize mode - # Pressing left will shrink the window’s width. - # Pressing right will grow the window’s width. - # Pressing up will shrink the window’s height. - # Pressing down will grow the window’s height. - bindsym j resize shrink width 10 px or 10 ppt - bindsym k resize grow height 10 px or 10 ppt - bindsym l resize shrink height 10 px or 10 ppt - bindsym odiaeresis resize grow width 10 px or 10 ppt + # Pressing left will shrink the window’s width. + # Pressing right will grow the window’s width. + # Pressing up will shrink the window’s height. + # Pressing down will grow the window’s height. + bindsym j resize shrink width 10 px or 10 ppt + bindsym k resize grow height 10 px or 10 ppt + bindsym l resize shrink height 10 px or 10 ppt + bindsym odiaeresis resize grow width 10 px or 10 ppt - # same bindings, but for the arrow keys - bindsym Left resize shrink width 10 px or 10 ppt - bindsym Down resize grow height 10 px or 10 ppt - bindsym Up resize shrink height 10 px or 10 ppt - bindsym Right resize grow width 10 px or 10 ppt + # same bindings, but for the arrow keys + bindsym Left resize shrink width 10 px or 10 ppt + bindsym Down resize grow height 10 px or 10 ppt + bindsym Up resize shrink height 10 px or 10 ppt + bindsym Right resize grow width 10 px or 10 ppt - # back to normal: Enter or Escape or $mod+r - bindsym Return mode "default" - bindsym Escape mode "default" - bindsym $mod+r mode "default" + # back to normal: Enter or Escape or $mod+r + bindsym Return mode "default" + bindsym Escape mode "default" + bindsym $mod+r mode "default" } bindsym $mod+r mode "resize" @@ -277,30 +277,30 @@ set $br_violet #b891f5 # Start i3bar to display a workspace bar (plus the system information i3status # finds out, if available) CHANGEME bar { - position top - #status_command LC_ALL=fi_FI.utf8 i3status - # Temporary workaround to broken i3status in Fedora - status_command LC_ALL=fi_FI.utf8 i3status-rs ~/.config/i3status-rs/config.toml - # Selenized black from https://github.com/jan-warchol/selenized/blob/master/other-apps/i3/i3-selenized-black.conf - colors { - separator $blue - background $bg - statusline $br_white - focused_workspace $green $green $bg - active_workspace $cyan $blue $black - inactive_workspace $black $black $fg - urgent_workspace $yellow $yellow $black - } - # Selenized light from https://github.com/jan-warchol/selenized/blob/master/other-apps/i3/i3-selenized-light.conf - #colors { - # separator $blue - # background $bg - # statusline $br_white - # focused_workspace $green $green $bg - # active_workspace $cyan $blue $black - # inactive_workspace $black $black $fg - # urgent_workspace $yellow $yellow $black - # } + position top + #status_command LC_ALL=fi_FI.utf8 i3status + # Temporary workaround to broken i3status in Fedora + status_command LC_ALL=fi_FI.utf8 i3status-rs ~/.config/i3status-rs/config.toml + # Selenized black from https://github.com/jan-warchol/selenized/blob/master/other-apps/i3/i3-selenized-black.conf + colors { + separator $blue + background $bg + statusline $br_white + focused_workspace $green $green $bg + active_workspace $cyan $blue $black + inactive_workspace $black $black $fg + urgent_workspace $yellow $yellow $black + } + # Selenized light from https://github.com/jan-warchol/selenized/blob/master/other-apps/i3/i3-selenized-light.conf + #colors { + # separator $blue + # background $bg + # statusline $br_white + # focused_workspace $green $green $bg + # active_workspace $cyan $blue $black + # inactive_workspace $black $black $fg + # urgent_workspace $yellow $yellow $black + # } } # Selenized black from https://github.com/jan-warchol/selenized/blob/master/other-apps/i3/i3-selenized-black.conf @@ -486,7 +486,7 @@ exec --no-startup-id redshift-gtk -l 60.15937:24.87530 #exec --no-startup-id redshift-gtk -l 60.46742:26.94508 # Sedric - 150 % display scaling (HiDPI), see also `xdpyinfo | grep resolution -# where 96 = 100 % +# where 96 = 100 % #exec --no-startup-id xrandr --dpi 144 # Sedric, external GPU as primary @@ -535,5 +535,5 @@ exec --no-startup-id redshift-gtk -l 60.15937:24.87530 # Special keyboard options that WILL CONFUSE YOU. # windows+space should change layout, but doesn't, both ctrls do # fi allows mostly typing fi/se (identicatal), cz/es. -# See also: `man xkeyboard-config` (layouts) `setxkbmap -query` (for current options) +# See also: `man xkeyboard-config` (layouts) `setxkbmap -query` (for current options) exec --no-startup-id setxkbmap -option compose:menu -option terminate:ctrl_alt_bksp -option nbsp:none -option caps:backspace -option shift:both_capslock -option grp:ctrls_toggle -option grp:win_space_toggle -layout fi,us,epo,ru -variant ,altgr-intl,,phonetic_winkeys diff --git a/conf/i3status-rs/config.toml b/conf/i3status-rs/config.toml index 8cb178ca..d98802f4 100644 --- a/conf/i3status-rs/config.toml +++ b/conf/i3status-rs/config.toml @@ -2,10 +2,10 @@ # based heavily on /usr/share/doc/i3status-rs/example_config.toml & https://github.com/greshake/i3status-rust/tree/master/examples # and manpage from search engine # Note: I am not confident that "irstatus-rs" and "i3status-rust" are the same -# software. +# software. # WIP: migration from i3status - # contains: (disk /, disk/home,) load, ipv6, wireless, ethernet, battery, volume, (utc) time, (local time) + # contains: (disk /, disk/home,) load, ipv6, wireless, ethernet, battery, volume, (utc) time, (local time) [theme] name = "solarized-dark" diff --git a/conf/i3status/config b/conf/i3status/config index 343286dc..3023d205 100644 --- a/conf/i3status/config +++ b/conf/i3status/config @@ -7,21 +7,21 @@ # If the above line is not correctly displayed, fix your editor first! general { - output_format = "i3bar" - colors = true - # 1 is horrible with battery status and possibly unnecessary - # weight for older devices. 5 appears to be Debian default, and I - # guess it's enough often for seeing if the system is frozen when - # staring at a clock. - interval = 5 - # Selenized black from https://github.com/jan-warchol/selenized/blob/master/other-apps/i3/i3status-selenized-black.conf - color_good = "#70b433" - color_degraded = "#dbb32d" - color_bad = "#ed4a46" - # Selenized light from https://github.com/jan-warchol/selenized/blob/master/other-apps/i3/i3status-selenized-light.conf - #color_good = "#489100" - #color_degraded = "#ad8900" - #color_bad = "#d2212d" + output_format = "i3bar" + colors = true + # 1 is horrible with battery status and possibly unnecessary + # weight for older devices. 5 appears to be Debian default, and I + # guess it's enough often for seeing if the system is frozen when + # staring at a clock. + interval = 5 + # Selenized black from https://github.com/jan-warchol/selenized/blob/master/other-apps/i3/i3status-selenized-black.conf + color_good = "#70b433" + color_degraded = "#dbb32d" + color_bad = "#ed4a46" + # Selenized light from https://github.com/jan-warchol/selenized/blob/master/other-apps/i3/i3status-selenized-light.conf + #color_good = "#489100" + #color_degraded = "#ad8900" + #color_bad = "#d2212d" } # Logicish: colour changing things at first (load is often red especially @@ -44,50 +44,50 @@ order += "time" # Load is first as the treshold may need the most modification here load { - format = "%1min %5min %15min" - # Defaults to 5, nosmt MDS mitigation disables ½ of the cores - # X,7 ? https://scoutapm.com/blog/understanding-load-averages - # CHANGEME - apparently whether . or , works depends on locale -.- - # Rbtpzn, the oldest machine from 2006, single core - #max_threshold = "0,7" - # Dualcore, mostly everything else - max_threshold = "1,7" - # Zaldaryn, quadcore - #max_threshold = "3,7" + format = "%1min %5min %15min" + # Defaults to 5, nosmt MDS mitigation disables ½ of the cores + # X,7 ? https://scoutapm.com/blog/understanding-load-averages + # CHANGEME - apparently whether . or , works depends on locale -.- + # Rbtpzn, the oldest machine from 2006, single core + #max_threshold = "0,7" + # Dualcore, mostly everything else + max_threshold = "1,7" + # Zaldaryn, quadcore + #max_threshold = "3,7" } wireless _first_ { - #format_up = "W: (%quality at %essid, %bitrate / %frequency) %ip" - format_up = "W:%quality @ %essid (%frequency, %bitrate)" - #format_up = "W:%quality %frequency" - #format_down = "W:🢃" - format_down = "" - #format_quality = "%3d%s" + #format_up = "W: (%quality at %essid, %bitrate / %frequency) %ip" + format_up = "W:%quality @ %essid (%frequency, %bitrate)" + #format_up = "W:%quality %frequency" + #format_down = "W:🢃" + format_down = "" + #format_quality = "%3d%s" } ethernet _first_ { - # if you use %speed, i3status requires root privileges - #format_up = "E: %ip (%speed)" - #format_up = "E:🢁" - format_up = "E:%speed" - #format_down = "E:🢃" - format_down = "" + # if you use %speed, i3status requires root privileges + #format_up = "E: %ip (%speed)" + #format_up = "E:🢁" + format_up = "E:%speed" + #format_down = "E:🢃" + format_down = "" } battery all { - # %remaining looks horrible especially with updating every second - format = "🔌%status %percentage %remaining" - format_down = "" - status_full = "🔌☻" - #status_unk = "?" - # kincarron battery fix - #path = "/sys/class/power_supply/%d/uevent" + # %remaining looks horrible especially with updating every second + format = "🔌%status %percentage %remaining" + format_down = "" + status_full = "🔌☻" + #status_unk = "?" + # kincarron battery fix + #path = "/sys/class/power_supply/%d/uevent" } tztime utc { - timezone = "UTC" - # ISO 8601ish - format = "%Z: %Y-%m-%d %H:%M:%S%z" + timezone = "UTC" + # ISO 8601ish + format = "%Z: %Y-%m-%d %H:%M:%S%z" } # Date format explanations @@ -106,29 +106,29 @@ tztime utc { #tztime local { time { - # Finnishish formatting with my adjustments - format = "%G-W%V-%u (%j/%a/%B) %F %H.%M.%S%z" + # Finnishish formatting with my adjustments + format = "%G-W%V-%u (%j/%a/%B) %F %H.%M.%S%z" } volume master { - format = "♪: %volume" - format_muted = "♪: muted (%volume)" - #device = "pulse" + format = "♪: %volume" + format_muted = "♪: muted (%volume)" + #device = "pulse" } ipv6 { - #format_up = "IPv6:🢁" - format_up = "6" - #format_down = "IPv6:🢃" - format_down = "" + #format_up = "IPv6:🢁" + format_up = "6" + #format_down = "IPv6:🢃" + format_down = "" } # %avail vs %free: https://github.com/i3/i3status/issues/349#issuecomment-506565599 disk / { - format = "/: %avail" + format = "/: %avail" } disk /home { - format = "/home: %avail" + format = "/home: %avail" } diff --git a/conf/pastebinit.xml b/conf/pastebinit.xml index 35d97b0f..2b76721e 100644 --- a/conf/pastebinit.xml +++ b/conf/pastebinit.xml @@ -1,6 +1,6 @@ - - http://sprunge.us - - - text + + http://sprunge.us + + + text diff --git a/conf/pipewire/media-session.d/alsa-monitor.conf b/conf/pipewire/media-session.d/alsa-monitor.conf index cfd940e7..43052e31 100644 --- a/conf/pipewire/media-session.d/alsa-monitor.conf +++ b/conf/pipewire/media-session.d/alsa-monitor.conf @@ -6,130 +6,130 @@ # then restart pipewire and pipewire-pulse like so: systemctl --user restart pipewire pipewire-pulse properties = { - # Create a JACK device. This is not enabled by default because - # it requires that the PipeWire JACK replacement libraries are - # not used by the session manager, in order to be able to - # connect to the real JACK server. - #alsa.jack-device = false + # Create a JACK device. This is not enabled by default because + # it requires that the PipeWire JACK replacement libraries are + # not used by the session manager, in order to be able to + # connect to the real JACK server. + #alsa.jack-device = false - # Reserve devices. - #alsa.reserve = true + # Reserve devices. + #alsa.reserve = true } rules = [ - # An array of matches/actions to evaluate. - { - # Rules for matching a device or node. It is an array of - # properties that all need to match the regexp. If any of the - # matches work, the actions are executed for the object. - matches = [ - { - # This matches all cards. These are regular expressions - # so "." matches one character and ".*" matches many. - device.name = "~alsa_card.*" - } - ] - actions = { - # Actions can update properties on the matched object. - update-props = { - # Use ALSA-Card-Profile devices. They use UCM or - # the profile configuration to configure the device - # and mixer settings. - api.alsa.use-acp = true + # An array of matches/actions to evaluate. + { + # Rules for matching a device or node. It is an array of + # properties that all need to match the regexp. If any of the + # matches work, the actions are executed for the object. + matches = [ + { + # This matches all cards. These are regular expressions + # so "." matches one character and ".*" matches many. + device.name = "~alsa_card.*" + } + ] + actions = { + # Actions can update properties on the matched object. + update-props = { + # Use ALSA-Card-Profile devices. They use UCM or + # the profile configuration to configure the device + # and mixer settings. + api.alsa.use-acp = true - # Use UCM instead of profile when available. Can be - # disabled to skip trying to use the UCM profile. - #api.alsa.use-ucm = true + # Use UCM instead of profile when available. Can be + # disabled to skip trying to use the UCM profile. + #api.alsa.use-ucm = true - # Don't use the hardware mixer for volume control. It - # will only use software volume. The mixer is still used - # to mute unused paths based on the selected port. - #api.alsa.soft-mixer = false + # Don't use the hardware mixer for volume control. It + # will only use software volume. The mixer is still used + # to mute unused paths based on the selected port. + #api.alsa.soft-mixer = false - # Ignore decibel settings of the driver. Can be used to - # work around buggy drivers that report wrong values. - #api.alsa.ignore-dB = false + # Ignore decibel settings of the driver. Can be used to + # work around buggy drivers that report wrong values. + #api.alsa.ignore-dB = false - # The profile set to use for the device. Usually this is - # "default.conf" but can be changed with a udev rule - # or here. - #device.profile-set = "profileset-name.conf" + # The profile set to use for the device. Usually this is + # "default.conf" but can be changed with a udev rule + # or here. + #device.profile-set = "profileset-name.conf" - # The default active profile. Is by default set to "Off". - #device.profile = "default profile name" + # The default active profile. Is by default set to "Off". + #device.profile = "default profile name" - # Automatically select the best profile. This is the - # highest priority available profile. This is disabled - # here and instead implemented in the session manager - # where it can save and load previous preferences. - api.acp.auto-profile = false + # Automatically select the best profile. This is the + # highest priority available profile. This is disabled + # here and instead implemented in the session manager + # where it can save and load previous preferences. + api.acp.auto-profile = false - # Automatically switch to the highest priority available - # port. This is disabled here and implemented in the - # session manager instead. - api.acp.auto-port = false + # Automatically switch to the highest priority available + # port. This is disabled here and implemented in the + # session manager instead. + api.acp.auto-port = false - # Other properties can be set here. - #device.nick = "My Device" - } - } - } + # Other properties can be set here. + #device.nick = "My Device" + } + } + } # Begin customized config section - { - matches = [ - { - # This matches your USB headset - device.name = "alsa_card.usb-Logitech_Logitech_USB_Headset-00" - } - ] - actions = { - # Actions can update properties on the matched object. - update-props = { - api.alsa.soft-mixer = true - } - } - } + { + matches = [ + { + # This matches your USB headset + device.name = "alsa_card.usb-Logitech_Logitech_USB_Headset-00" + } + ] + actions = { + # Actions can update properties on the matched object. + update-props = { + api.alsa.soft-mixer = true + } + } + } #End customized config section - { - matches = [ - { - # Matches all sources. These are regular expressions - # so "." matches one character and ".*" matches many. - node.name = "~alsa_input.*" - } - { - # Matches all sinks. - node.name = "~alsa_output.*" - } - ] - actions = { - update-props = { - #node.nick = "My Node" - #node.nick = null - #priority.driver = 100 - #priority.session = 100 - node.pause-on-idle = false - #resample.quality = 4 - #channelmix.normalize = false - #channelmix.mix-lfe = false - #audio.channels = 2 - #audio.format = "S16LE" - #audio.rate = 44100 - #audio.position = "FL,FR" - #session.suspend-timeout-seconds = 5 # 0 disables suspend - #monitor.channel-volumes = false + { + matches = [ + { + # Matches all sources. These are regular expressions + # so "." matches one character and ".*" matches many. + node.name = "~alsa_input.*" + } + { + # Matches all sinks. + node.name = "~alsa_output.*" + } + ] + actions = { + update-props = { + #node.nick = "My Node" + #node.nick = null + #priority.driver = 100 + #priority.session = 100 + node.pause-on-idle = false + #resample.quality = 4 + #channelmix.normalize = false + #channelmix.mix-lfe = false + #audio.channels = 2 + #audio.format = "S16LE" + #audio.rate = 44100 + #audio.position = "FL,FR" + #session.suspend-timeout-seconds = 5 # 0 disables suspend + #monitor.channel-volumes = false - #api.alsa.period-size = 1024 - #api.alsa.headroom = 0 - #api.alsa.start-delay = 0 - #api.alsa.disable-mmap = false - #api.alsa.disable-batch = false - #api.alsa.use-chmap = false - } - } - } + #api.alsa.period-size = 1024 + #api.alsa.headroom = 0 + #api.alsa.start-delay = 0 + #api.alsa.disable-mmap = false + #api.alsa.disable-batch = false + #api.alsa.use-chmap = false + } + } + } ] diff --git a/conf/sway/README.md b/conf/sway/README.md index a07a3d48..e9f933df 100644 --- a/conf/sway/README.md +++ b/conf/sway/README.md @@ -25,7 +25,7 @@ methods setting fonts): - Document text: Noto Serif Regular 11 - Monospace text: Noto Sans Mono Regular 10 - Legacy window title text: Noto Serif Bold 11 - - Apparently this means "apps that don't use client-side decorations" + - Apparently this means "apps that don't use client-side decorations" The number behind is obviously the number and it's based on what were the defaults before I touched them so I am hoping GNOME knows what they are @@ -42,10 +42,10 @@ have trouble handling it, e.g. mpv (makes Ä and Ö and Å all Å) and Firefox Other font settings in GNOME-Tweak: - Hinting: _a bit_ - - for no particular reason + - for no particular reason - Antialiasing: _Subpixel (for LCD-displays)_ - - I have no idea where there are "standard grayscale" displays that aren't - LCD. + - I have no idea where there are "standard grayscale" displays that aren't + LCD. ### Screen mirroring @@ -56,6 +56,6 @@ Workarounds: - Use VNC (see my Scripts repo [`bash/swaymirror.bash`](https://gitea.blesmrt.net/mikaela/scripts/src/branch/master/bash/swaymirror.bash)) - Do something weird with OBS - Use a dedicated application that don't seem to be in Fedora repos, flatpak - or snap. - - [github.com/Ferdi265/wl-mirror](https://github.com/Ferdi265/wl-mirror) - - [github.com/progandy/wdomirror](https://github.com/progandy/wdomirror) + or snap. + - [github.com/Ferdi265/wl-mirror](https://github.com/Ferdi265/wl-mirror) + - [github.com/progandy/wdomirror](https://github.com/progandy/wdomirror) diff --git a/conf/sway/config.d/README.md b/conf/sway/config.d/README.md index 864c0a09..440c0011 100644 --- a/conf/sway/config.d/README.md +++ b/conf/sway/config.d/README.md @@ -5,7 +5,7 @@ Thus this `README.md` is not read, even if I happened to carelessly copy-paste it in. - `autostart-communication.conf` - chat/communication apps I am expected to have - open or at least check at times + open or at least check at times - `autostart-fineid.conf` - Finnish electric identity card, that I also use as SSH key - `autostart-utilities.conf` - general utilities, like `nm-applet` or VPN etc. - `grimshot.conf` - screenshotting keybinds using `grimshot` @@ -13,15 +13,15 @@ copy-paste it in. - `keyboard.conf` - keyboard configuration - `media.conf` - media key configuration and autostarts related to it - `pointer-accel.conf` - pointer/mouse configuration, mainly setting acceleration - profile to `flat` + profile to `flat` - `README.md` - you are currently reading this :wink: - `sedric.conf` - configuration specific to my laptop hostnamed `sedric` - `swaybar.conf` - `swaybar` configuration - `swayidle.conf` - `swayidle` configuration/autostart - `wlsunset-kotka.conf` - `wlsunset` configuration/autostart for my hometown for when - I happen to visit for longer period of time + I happen to visit for longer period of time - `wlsunset-lauttasaari.conf` - `wlsunset` configuration for my home neighbourhood - `zz-floating.conf` - configures windows that should float. For some reason - that is inherited from my `i3` config, it tells to put float rules above the - last line, so it should be read last and `z` is the last letter of English - alphabet so it will hopefully be read last. + that is inherited from my `i3` config, it tells to put float rules above the + last line, so it should be read last and `z` is the last letter of English + alphabet so it will hopefully be read last. diff --git a/conf/sway/config.d/swayidle.conf b/conf/sway/config.d/swayidle.conf index d9b48125..582bf9ec 100644 --- a/conf/sway/config.d/swayidle.conf +++ b/conf/sway/config.d/swayidle.conf @@ -1,11 +1,11 @@ # Copied from `man swayidle`, except the $ScreenLockCmd that I don't # want to repeat. -# This will lock your screen after 300 seconds of inactivity, then turn off -# your displays after another 300 seconds, and turn your screens back on -# when resumed. It will also lock your screen before your computer goes to -# sleep. +# This will lock your screen after 300 seconds of inactivity, then turn off +# your displays after another 300 seconds, and turn your screens back on +# when resumed. It will also lock your screen before your computer goes to +# sleep. exec swayidle -w \ - timeout 300 "\"$ScreenLockCmd\"" \ - timeout 600 'swaymsg "output * dpms off"' \ + timeout 300 "\"$ScreenLockCmd\"" \ + timeout 600 'swaymsg "output * dpms off"' \ resume 'swaymsg "output * dpms on"' \ - before-sleep "\"$ScreenLockCmd\"" + before-sleep "\"$ScreenLockCmd\"" diff --git a/conf/tmux-old-ncurses.bash b/conf/tmux-old-ncurses.bash index 744688c8..c81d744c 100755 --- a/conf/tmux-old-ncurses.bash +++ b/conf/tmux-old-ncurses.bash @@ -2,5 +2,5 @@ # Intended for systems with ncurses < 6 which is missing TERMINFO # for tmux-256color. if [[ $TERM == 'tmux-256color' ]]; then - export TERM=screen-256color + export TERM=screen-256color fi diff --git a/etc/X11/xorg.conf.d/00-keyboard.conf b/etc/X11/xorg.conf.d/00-keyboard.conf index 5b5efe45..8d6eb587 100644 --- a/etc/X11/xorg.conf.d/00-keyboard.conf +++ b/etc/X11/xorg.conf.d/00-keyboard.conf @@ -1,8 +1,8 @@ # Read and parsed by systemd-localed. It's probably wise not to edit this file # manually too freely. Section "InputClass" - Identifier "system-keyboard" - MatchIsKeyboard "on" - Option "XkbLayout" "fi" - Option "XkbModel" "compose:menu" + Identifier "system-keyboard" + MatchIsKeyboard "on" + Option "XkbLayout" "fi" + Option "XkbModel" "compose:menu" EndSection diff --git a/etc/apt/sources.list/ubuntu b/etc/apt/sources.list/ubuntu index 10b63071..b6e73ecb 100644 --- a/etc/apt/sources.list/ubuntu +++ b/etc/apt/sources.list/ubuntu @@ -46,4 +46,4 @@ deb-src http://security.ubuntu.com/ubuntu/ CODENAME-security main restricted deb http://security.ubuntu.com/ubuntu/ CODENAME-security universe deb-src http://security.ubuntu.com/ubuntu/ CODENAME-security universe deb http://security.ubuntu.com/ubuntu/ CODENAME-security multiverse -deb-src http://security.ubuntu.com/ubuntu/ CODENAME-security multiverse \ No newline at end of file +deb-src http://security.ubuntu.com/ubuntu/ CODENAME-security multiverse diff --git a/etc/dnscrypt-proxy/dnscrypt-proxy.toml b/etc/dnscrypt-proxy/dnscrypt-proxy.toml index 8665e90b..84df0c9f 100644 --- a/etc/dnscrypt-proxy/dnscrypt-proxy.toml +++ b/etc/dnscrypt-proxy/dnscrypt-proxy.toml @@ -70,31 +70,31 @@ lb_strategy = 'p2' # Logging to be enabled by hand on systems needing them #[query_log] -# file = '/var/log/dnscrypt-proxy/query.log' +# file = '/var/log/dnscrypt-proxy/query.log' #[nx_log] -# file = '/var/log/dnscrypt-proxy/nx.log' +# file = '/var/log/dnscrypt-proxy/nx.log' [sources] - [sources.'public-resolvers'] - #url = 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md' - urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md', 'https://cdn.staticaly.com/gh/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md', 'https://evilvibes.com/list/public-resolvers.md'] - cache_file = '/var/cache/dnscrypt-proxy/public-resolvers.md' - minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' - refresh_delay = 72 - prefix = 'public-' + [sources.'public-resolvers'] + #url = 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md' + urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md', 'https://cdn.staticaly.com/gh/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md', 'https://evilvibes.com/list/public-resolvers.md'] + cache_file = '/var/cache/dnscrypt-proxy/public-resolvers.md' + minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' + refresh_delay = 72 + prefix = 'public-' [sources.'opennic'] - urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/opennic.md', 'https://download.dnscrypt.info/resolvers-list/v2/opennic.md'] - minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' - refresh_delay = 72 - cache_file = '/var/cache/dnscrypt-proxy/opennic.md' - prefix = 'opennic-' + urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/opennic.md', 'https://download.dnscrypt.info/resolvers-list/v2/opennic.md'] + minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' + refresh_delay = 72 + cache_file = '/var/cache/dnscrypt-proxy/opennic.md' + prefix = 'opennic-' # 2.0.23 recommended so onions won't be attempted without proxy enabled # (5c9edfccfe67474bee2836ada67f955f10e43357) # I won't uncomment this until I have updated version everywhere. #[sources.'onion-services'] -# urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/onion-services.md', 'https://download.dnscrypt.info/resolvers-list/v2/onion-services.md'] -# minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' -# cache_file = '/var/cache/dnscrypt-proxy/onion-services.md' -# prefix = 'onion-' +# urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/onion-services.md', 'https://download.dnscrypt.info/resolvers-list/v2/onion-services.md'] +# minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' +# cache_file = '/var/cache/dnscrypt-proxy/onion-services.md' +# prefix = 'onion-' diff --git a/etc/fahclient/config.xml b/etc/fahclient/config.xml index 11747fd7..8209119c 100644 --- a/etc/fahclient/config.xml +++ b/etc/fahclient/config.xml @@ -1,21 +1,21 @@ - - - + + + - - - + + + - - + + - - - - + + + + - - - + + + diff --git a/etc/install b/etc/install index 160c9964..bad0d48c 100755 --- a/etc/install +++ b/etc/install @@ -15,8 +15,8 @@ chmod a+r /etc/systemd/system/oidentd.socket mkdir -p /etc/sysctl.d/ if [ ! -f /etc/sysctl.d/60-mikaela.conf ]; then - cat sysctl.d/60-mikaela.conf > /etc/sysctl.d/60-mikaela.conf - chmod a+r /etc/sysctl.d/60-mikaela.conf + cat sysctl.d/60-mikaela.conf > /etc/sysctl.d/60-mikaela.conf + chmod a+r /etc/sysctl.d/60-mikaela.conf fi echo 'If you use systemd or oidentd you should "systemctl daemon-reload"' diff --git a/etc/nginx/README.md b/etc/nginx/README.md index c869eb4e..2c080a93 100644 --- a/etc/nginx/README.md +++ b/etc/nginx/README.md @@ -8,9 +8,9 @@ cannot read them from here. These files may age badly, so here are some hopefully timeless pointers: - Generate the config file with https://ssl-config.mozilla.org/ (and if - time eats it, try https://github.com/mozilla/ssl-config-generator/ in - hope of finding where it is now. \* Name it 00-something so it will be the first file read and make - everything a different file. + time eats it, try https://github.com/mozilla/ssl-config-generator/ in + hope of finding where it is now. \* Name it 00-something so it will be the first file read and make + everything a different file. - If using my acmesh-ssl.bash script, the files to fill should be like: (the script runs `$ACMESH --key-file $NGINXDIR/key.pem --fullchain-file $NGINXDIR/cert.pem --reloadcmd "$SYSTEMCTLRESTART nginx"`) @@ -21,11 +21,11 @@ These files may age badly, so here are some hopefully timeless pointers: The header syntax is following, **_THIS LIKELY WON'T TIME WELL, ESPECIALLY CSP_** ``` - add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header Content-Security-Policy "block-all-mixed-content; default-src 'none'; form-action 'self'; connect-src 'self' ws: wss:; style-src 'self' https: 'unsafe-inline'; script-src 'self'; worker-src 'self'; child-src 'self'; manifest-src 'self'; font-src 'self' https:; media-src 'self' https:; img-src 'self' data: https://user-images.githubusercontent.com" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "no-referrer" always; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header Content-Security-Policy "block-all-mixed-content; default-src 'none'; form-action 'self'; connect-src 'self' ws: wss:; style-src 'self' https: 'unsafe-inline'; script-src 'self'; worker-src 'self'; child-src 'self'; manifest-src 'self'; font-src 'self' https:; media-src 'self' https:; img-src 'self' data: https://user-images.githubusercontent.com" always; + add_header X-Content-Type-Options "nosniff" always; + add_header Referrer-Policy "no-referrer" always; ``` The CSP comes from `HEAD "http://[::]:9000/#/chan-1"` to figure out what @@ -33,9 +33,9 @@ TheLounge would be setting without a reverse proxy in front of it. `HEAD` is in Debian package `libwww-perl` - Refer to tester tools to see if the configuration is fine: - - https://observatory.mozilla.org/ - - https://securityheaders.com/ - - https://www.ssllabs.com/ssltest/ + - https://observatory.mozilla.org/ + - https://securityheaders.com/ + - https://www.ssllabs.com/ssltest/ --- diff --git a/etc/nginx/conf.d/bitbot.conf b/etc/nginx/conf.d/bitbot.conf index 898213e6..21321f0c 100644 --- a/etc/nginx/conf.d/bitbot.conf +++ b/etc/nginx/conf.d/bitbot.conf @@ -1,17 +1,17 @@ server { - listen 80; - listen 443; - listen 14402; - listen [::]:80; - listen [::]:443; - listen [::]:14402; - ssl_certificate /etc/nginx/ssl/cert.pem; - ssl_certificate_key /etc/nginx/ssl/key.pem; - server_name bitbot.relpda.mikaela.info; + listen 80; + listen 443; + listen 14402; + listen [::]:80; + listen [::]:443; + listen [::]:14402; + ssl_certificate /etc/nginx/ssl/cert.pem; + ssl_certificate_key /etc/nginx/ssl/key.pem; + server_name bitbot.relpda.mikaela.info; - access_log /var/log/nginx/bitbot.access.log main; + access_log /var/log/nginx/bitbot.access.log main; - location / { - proxy_pass http://[::1]:9050; - } + location / { + proxy_pass http://[::1]:9050; + } } diff --git a/etc/nginx/conf.d/cloudflare.conf b/etc/nginx/conf.d/cloudflare.conf index 2bd8ab60..904537c1 100644 --- a/etc/nginx/conf.d/cloudflare.conf +++ b/etc/nginx/conf.d/cloudflare.conf @@ -1,20 +1,20 @@ - # Cloudflare - set_real_ip_from 199.27.128.0/21; - set_real_ip_from 173.245.48.0/20; - set_real_ip_from 103.21.244.0/22; - set_real_ip_from 103.22.200.0/22; - set_real_ip_from 103.31.4.0/22; - set_real_ip_from 141.101.64.0/18; - set_real_ip_from 108.162.192.0/18; - set_real_ip_from 190.93.240.0/20; - set_real_ip_from 188.114.96.0/20; - set_real_ip_from 197.234.240.0/22; - set_real_ip_from 198.41.128.0/17; - set_real_ip_from 162.158.0.0/15; - set_real_ip_from 104.16.0.0/12; - set_real_ip_from 2400:cb00::/32; - set_real_ip_from 2606:4700::/32; - set_real_ip_from 2803:f800::/32; - set_real_ip_from 2405:b500::/32; - set_real_ip_from 2405:8100::/32; - real_ip_header CF-Connecting-IP; +# Cloudflare + set_real_ip_from 199.27.128.0/21; + set_real_ip_from 173.245.48.0/20; + set_real_ip_from 103.21.244.0/22; + set_real_ip_from 103.22.200.0/22; + set_real_ip_from 103.31.4.0/22; + set_real_ip_from 141.101.64.0/18; + set_real_ip_from 108.162.192.0/18; + set_real_ip_from 190.93.240.0/20; + set_real_ip_from 188.114.96.0/20; + set_real_ip_from 197.234.240.0/22; + set_real_ip_from 198.41.128.0/17; + set_real_ip_from 162.158.0.0/15; + set_real_ip_from 104.16.0.0/12; + set_real_ip_from 2400:cb00::/32; + set_real_ip_from 2606:4700::/32; + set_real_ip_from 2803:f800::/32; + set_real_ip_from 2405:b500::/32; + set_real_ip_from 2405:8100::/32; + real_ip_header CF-Connecting-IP; diff --git a/etc/nginx/conf.d/default.conf b/etc/nginx/conf.d/default.conf index f6bd7b8a..d74f35c0 100644 --- a/etc/nginx/conf.d/default.conf +++ b/etc/nginx/conf.d/default.conf @@ -1,57 +1,57 @@ server { - listen 80; - listen 443 ssl; - listen 14402 ssl; - listen [::]:80 ipv6only=on; - listen [::]:443 ssl ipv6only=on; - listen [::]:14402 ssl ipv6only=on; - ssl_certificate /etc/nginx/ssl/cert.pem; - ssl_certificate_key /etc/nginx/ssl/key.pem; - server_name relpda.mikaela.info; + listen 80; + listen 443 ssl; + listen 14402 ssl; + listen [::]:80 ipv6only=on; + listen [::]:443 ssl ipv6only=on; + listen [::]:14402 ssl ipv6only=on; + ssl_certificate /etc/nginx/ssl/cert.pem; + ssl_certificate_key /etc/nginx/ssl/key.pem; + server_name relpda.mikaela.info; - #charset koi8-r; - #access_log /var/log/nginx/host.access.log main; + #charset koi8-r; + #access_log /var/log/nginx/host.access.log main; #location /api/ { -# proxy_pass http://[::1]:9050; -# } +# proxy_pass http://[::1]:9050; +# } - location / { - root /usr/share/nginx/html; - index index.html index.htm; - } + location / { + root /usr/share/nginx/html; + index index.html index.htm; + } - #error_page 404 /404.html; + #error_page 404 /404.html; - # redirect server error pages to the static page /50x.html - # - error_page 500 502 503 504 /50x.html; - location = /50x.html { - root /usr/share/nginx/html; - } + # redirect server error pages to the static page /50x.html + # + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/share/nginx/html; + } - # proxy the PHP scripts to Apache listening on 127.0.0.1:80 - # - #location ~ \.php$ { - # proxy_pass http://127.0.0.1; - #} + # proxy the PHP scripts to Apache listening on 127.0.0.1:80 + # + #location ~ \.php$ { + # proxy_pass http://127.0.0.1; + #} - # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 - # - #location ~ \.php$ { - # root html; - # fastcgi_pass 127.0.0.1:9000; - # fastcgi_index index.php; - # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; - # include fastcgi_params; - #} + # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 + # + #location ~ \.php$ { + # root html; + # fastcgi_pass 127.0.0.1:9000; + # fastcgi_index index.php; + # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; + # include fastcgi_params; + #} - # deny access to .htaccess files, if Apache's document root - # concurs with nginx's one - # - #location ~ /\.ht { - # deny all; - #} + # deny access to .htaccess files, if Apache's document root + # concurs with nginx's one + # + #location ~ /\.ht { + # deny all; + #} } diff --git a/etc/nginx/sites-enabled/old/host b/etc/nginx/sites-enabled/old/host index b3d90334..712599f9 100644 --- a/etc/nginx/sites-enabled/old/host +++ b/etc/nginx/sites-enabled/old/host @@ -1,94 +1,94 @@ server { - listen 80 default_server; - listen [::]:80 default_server ipv6only=on; - listen 443 default_server ssl http2; - listen [::]:443 default_server ssl http2 ipv6only=on; + listen 80 default_server; + listen [::]:80 default_server ipv6only=on; + listen 443 default_server ssl http2; + listen [::]:443 default_server ssl http2 ipv6only=on; - root /var/www/default/; - index index.php index.html index.htm; + root /var/www/default/; + index index.php index.html index.htm; ### Generating SSL certificate: ## mkdir -p /etc/nginx/ssl && cd /etc/nginx/ssl ## openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout nginx.key -out nginx.crt ### this takes forever and is used on line 23. ## openssl dhparam -out dhparam.pem 4096 - ssl_certificate /etc/nginx/ssl/nginx.crt; - ssl_certificate_key /etc/nginx/ssl/nginx.key; + ssl_certificate /etc/nginx/ssl/nginx.crt; + ssl_certificate_key /etc/nginx/ssl/nginx.key; # ----- begin of Mozilla Server Side TLS recommendations ----- # **2014-11-07** https://wiki.mozilla.org/Security/Server_Side_TLS - ssl_session_timeout 5m; - ssl_session_cache shared:SSL:50m; + ssl_session_timeout 5m; + ssl_session_cache shared:SSL:50m; - # Diffie-Hellman parameter for DHE ciphersuites, recommended 4096 bits - # See generation on line 14 - ssl_dhparam /etc/nginx/ssl/dhparam.pem; + # Diffie-Hellman parameter for DHE ciphersuites, recommended 4096 bits + # See generation on line 14 + ssl_dhparam /etc/nginx/ssl/dhparam.pem; - # Intermediate configuration. tweak to your needs. - # comment just for me, don't uncomment. - #ssl_ciphers ''; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; - ssl_prefer_server_ciphers on; + # Intermediate configuration. tweak to your needs. + # comment just for me, don't uncomment. + #ssl_ciphers ''; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; + ssl_prefer_server_ciphers on; - # Enable this if your want HSTS (recommended) - add_header Strict-Transport-Security "max-age=15552000; includeSubdomains; preload"; - add_header X-Frame-Options SAMEORIGIN; - add_header Content-Security-Policy upgrade-insecure-requests; - add_header X-Xss-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; + # Enable this if your want HSTS (recommended) + add_header Strict-Transport-Security "max-age=15552000; includeSubdomains; preload"; + add_header X-Frame-Options SAMEORIGIN; + add_header Content-Security-Policy upgrade-insecure-requests; + add_header X-Xss-Protection "1; mode=block" always; + add_header X-Content-Type-Options "nosniff" always; - # OCSP Stapling --- - # fetch OCSP records from URL in ssl_certificate and cache them - ssl_stapling on; - ssl_stapling_verify on; - ## verify chain of trust of OCSP response using Root CA and Intermediate certs - #ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates; - #resolver ::1; + # OCSP Stapling --- + # fetch OCSP records from URL in ssl_certificate and cache them + ssl_stapling on; + ssl_stapling_verify on; + ## verify chain of trust of OCSP response using Root CA and Intermediate certs + #ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates; + #resolver ::1; # ----- end of Mozilla Server Side TLS recommendations ----- - location / { - # First attempt to serve request as file, then - # as directory, then fall back to displaying a 404. - try_files $uri $uri/ =404; - autoindex on; - } + location / { + # First attempt to serve request as file, then + # as directory, then fall back to displaying a 404. + try_files $uri $uri/ =404; + autoindex on; + } - # Userdir - location ~ ^/~(.+?)(/.*)?$ { - alias /home/$1/public_html$2; - index index.html index.htm; - autoindex on; - } + # Userdir + location ~ ^/~(.+?)(/.*)?$ { + alias /home/$1/public_html$2; + index index.html index.htm; + autoindex on; + } - #error_page 404 /404.html; + #error_page 404 /404.html; - # redirect server error pages to the static page /50x.html - # - #error_page 500 502 503 504 /50x.html; - #location = /50x.html { - # root /usr/share/nginx/html; - #} + # redirect server error pages to the static page /50x.html + # + #error_page 500 502 503 504 /50x.html; + #location = /50x.html { + # root /usr/share/nginx/html; + #} - # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 - # - location ~ \.php$ { - fastcgi_split_path_info ^(.+\.php)(/.+)$; - # # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini - # - # # With php5-cgi alone: - # fastcgi_pass 127.0.0.1:9000; - # # With php5-fpm: - fastcgi_pass unix:/var/run/php5-fpm.sock; - fastcgi_index index.php; - #include fastcgi_params; - include fastcgi.conf; - } + # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 + # + location ~ \.php$ { + fastcgi_split_path_info ^(.+\.php)(/.+)$; + # # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini + # + # # With php5-cgi alone: + # fastcgi_pass 127.0.0.1:9000; + # # With php5-fpm: + fastcgi_pass unix:/var/run/php5-fpm.sock; + fastcgi_index index.php; + #include fastcgi_params; + include fastcgi.conf; + } - # deny access to .htaccess files, if Apache's document root - # concurs with nginx's one - # - location ~ /\.ht { - deny all; - } + # deny access to .htaccess files, if Apache's document root + # concurs with nginx's one + # + location ~ /\.ht { + deny all; + } } diff --git a/etc/nginx/sites-enabled/rproxy b/etc/nginx/sites-enabled/rproxy index ef321ebe..c7ef8130 100644 --- a/etc/nginx/sites-enabled/rproxy +++ b/etc/nginx/sites-enabled/rproxy @@ -1,23 +1,23 @@ server { - listen 80; - listen [::]:80; - listen 443; - listen [::]:443; + listen 80; + listen [::]:80; + listen 443; + listen [::]:443; - # Enable this if your want HSTS (recommended) - add_header Strict-Transport-Security "max-age=15552000; includeSubdomains; preload"; - add_header X-Frame-Options SAMEORIGIN; - add_header Content-Security-Policy upgrade-insecure-requests; - add_header X-Xss-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; + # Enable this if your want HSTS (recommended) + add_header Strict-Transport-Security "max-age=15552000; includeSubdomains; preload"; + add_header X-Frame-Options SAMEORIGIN; + add_header Content-Security-Policy upgrade-insecure-requests; + add_header X-Xss-Protection "1; mode=block" always; + add_header X-Content-Type-Options "nosniff" always; - server_name something.example.org; + server_name something.example.org; # NOTE: For X-Real-IP & X-Forwarded-For see ../conf.d/rproxy.conf # Behind CloudFlare see ../conf.d/cloudflare.conf location / { - proxy_pass http://localhost:8080; - } + proxy_pass http://localhost:8080; + } } diff --git a/etc/nginx/sites-enabled/vhost b/etc/nginx/sites-enabled/vhost index 1f0264d9..b5e41655 100644 --- a/etc/nginx/sites-enabled/vhost +++ b/etc/nginx/sites-enabled/vhost @@ -1,67 +1,67 @@ server { - # default_server from default vhost must exist somewhere! - listen 80; - listen [::]:80; - listen 443; - listen [::]:443; + # default_server from default vhost must exist somewhere! + listen 80; + listen [::]:80; + listen 443; + listen [::]:443; - # Enable this if your want HSTS (recommended) - add_header Strict-Transport-Security "max-age=15552000; includeSubdomains; preload"; - add_header X-Frame-Options SAMEORIGIN; - add_header Content-Security-Policy upgrade-insecure-requests; - add_header X-Xss-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; + # Enable this if your want HSTS (recommended) + add_header Strict-Transport-Security "max-age=15552000; includeSubdomains; preload"; + add_header X-Frame-Options SAMEORIGIN; + add_header Content-Security-Policy upgrade-insecure-requests; + add_header X-Xss-Protection "1; mode=block" always; + add_header X-Content-Type-Options "nosniff" always; - root /var/www/vhostdir; - index index.php index.html index.htm; + root /var/www/vhostdir; + index index.php index.html index.htm; - # vhost address - server_name vhost.example.org; + # vhost address + server_name vhost.example.org; - location / { - # First attempt to serve request as file, then - # as directory, then fall back to displaying a 404. - try_files $uri $uri/ =404; - autoindex off; - } + location / { + # First attempt to serve request as file, then + # as directory, then fall back to displaying a 404. + try_files $uri $uri/ =404; + autoindex off; + } - # Userdir - #ilocation ~ ^/~(.+?)(/.*)?$ { - # alias /home/$1/public_html$2; - # index index.html index.htm; - # autoindex on; - #} + # Userdir + #ilocation ~ ^/~(.+?)(/.*)?$ { + # alias /home/$1/public_html$2; + # index index.html index.htm; + # autoindex on; + #} - #error_page 404 /404.html; + #error_page 404 /404.html; - # redirect server error pages to the static page /50x.html - # - #error_page 500 502 503 504 /50x.html; - #location = /50x.html { - # root /usr/share/nginx/html; - #} + # redirect server error pages to the static page /50x.html + # + #error_page 500 502 503 504 /50x.html; + #location = /50x.html { + # root /usr/share/nginx/html; + #} - # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 - # - location ~ \.php$ { - fastcgi_split_path_info ^(.+\.php)(/.+)$; - # # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini - # - # # With php5-cgi alone: - # fastcgi_pass 127.0.0.1:9000; - # # With php5-fpm: - fastcgi_pass unix:/var/run/php5-fpm.sock; - fastcgi_index index.php; - #include fastcgi_params; - include fastcgi.conf; - } + # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 + # + location ~ \.php$ { + fastcgi_split_path_info ^(.+\.php)(/.+)$; + # # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini + # + # # With php5-cgi alone: + # fastcgi_pass 127.0.0.1:9000; + # # With php5-fpm: + fastcgi_pass unix:/var/run/php5-fpm.sock; + fastcgi_index index.php; + #include fastcgi_params; + include fastcgi.conf; + } - # deny access to .htaccess files, if Apache's document root - # concurs with nginx's one - # - location ~ /\.ht { - deny all; - } + # deny access to .htaccess files, if Apache's document root + # concurs with nginx's one + # + location ~ /\.ht { + deny all; + } } diff --git a/etc/oidentd.conf b/etc/oidentd.conf index f6446e51..2c2bcb01 100644 --- a/etc/oidentd.conf +++ b/etc/oidentd.conf @@ -6,22 +6,22 @@ # Deny everything by default default { - default { - deny spoof - deny spoof_all - deny spoof_privport - deny random - deny random_numeric - deny numeric - deny hide - } + default { + deny spoof + deny spoof_all + deny spoof_privport + deny random + deny random_numeric + deny numeric + deny hide + } } # Don't respond to ident request to root user root { - default { - force hide - } + default { + force hide + } } # Allow user znc to spoof when *Identfile is used @@ -33,13 +33,13 @@ user root { # /msg *identfile setfile ~/.oidentd.conf # /msg *identfile setformat global { reply "%user%" } user "znc" { - default { - allow spoof - allow spoof_all - allow spoof_privport - deny random - deny random_numeric - deny numeric - deny hide - } + default { + allow spoof + allow spoof_all + allow spoof_privport + deny random + deny random_numeric + deny numeric + deny hide + } } diff --git a/etc/pipewire/media-session.d/README.md b/etc/pipewire/media-session.d/README.md index bf4f88ac..10e9c534 100644 --- a/etc/pipewire/media-session.d/README.md +++ b/etc/pipewire/media-session.d/README.md @@ -33,9 +33,9 @@ don't exist by default anymore, they need to be copied and edited separately See also: - https://gitlab.freedesktop.org/pipewire/pipewire/-/issues/1220 - - marked as duplicate of: https://gitlab.freedesktop.org/pipewire/pipewire/-/issues/207 + - marked as duplicate of: https://gitlab.freedesktop.org/pipewire/pipewire/-/issues/207 ## Bluetooth - https://www.redpill-linpro.com/techblog/2021/05/31/better-bluetooth-headset-audio-with-msbc.html - - https://web.archive.org/web/20210614103423/https://www.redpill-linpro.com/techblog/2021/05/31/better-bluetooth-headset-audio-with-msbc.html + - https://web.archive.org/web/20210614103423/https://www.redpill-linpro.com/techblog/2021/05/31/better-bluetooth-headset-audio-with-msbc.html diff --git a/etc/radvd.conf b/etc/radvd.conf index f0d21dbc..2e59fed3 100644 --- a/etc/radvd.conf +++ b/etc/radvd.conf @@ -1,15 +1,15 @@ interface eth0 { - AdvSendAdvert on; - AdvOtherConfigFlag on; - prefix 2001:14b8:100:8397::/64 - { - AdvOnLink on; - AdvAutonomous on; - }; - prefix ULA::/64 - { - AdvOnLink on; - AdvAutonomous on; - }; + AdvSendAdvert on; + AdvOtherConfigFlag on; + prefix 2001:14b8:100:8397::/64 + { + AdvOnLink on; + AdvAutonomous on; + }; + prefix ULA::/64 + { + AdvOnLink on; + AdvAutonomous on; + }; }; diff --git a/etc/resolv.conf b/etc/resolv.conf index fdc3485a..7f4a4127 100644 --- a/etc/resolv.conf +++ b/etc/resolv.conf @@ -26,9 +26,9 @@ options edns0 single-request-reopen #trust-ad # !!! /run/systemd/resolve/stub-resolv.conf !!! /usr/lib/systemd/resolv.conf /run/systemd/resolve/resolv.conf # !!! /run/systemd/resolve/stub-resolv.conf !!! contains search domains and doesn't seem to be -# overwritable and somehow works with Mullvad -# https://github.com/mullvad/mullvadvpn-app/issues/1952 -# /usr/lib/systemd/resolv.conf doesn't contain search domains, can -# get overwritten and "broken" -# /run/systemd/resolve/resolv.conf contains uplink resolvers and domains -# SHOULDN'T BE USED! +# overwritable and somehow works with Mullvad +# https://github.com/mullvad/mullvadvpn-app/issues/1952 +# /usr/lib/systemd/resolv.conf doesn't contain search domains, can +# get overwritten and "broken" +# /run/systemd/resolve/resolv.conf contains uplink resolvers and domains +# SHOULDN'T BE USED! diff --git a/etc/ssh/ssh_config.d/example.conf b/etc/ssh/ssh_config.d/example.conf index 5f0e903d..5e8e32d8 100644 --- a/etc/ssh/ssh_config.d/example.conf +++ b/etc/ssh/ssh_config.d/example.conf @@ -1,6 +1,6 @@ #Host example - #Hostname compuutteri.example.net - #Port 12345 - #IdentityFile /home/username/.ssh/privkey - #ProxyJump uzanto@komputilo.example.net:2222 - #User account42 + #Hostname compuutteri.example.net + #Port 12345 + #IdentityFile /home/username/.ssh/privkey + #ProxyJump uzanto@komputilo.example.net:2222 + #User account42 diff --git a/etc/ssh/sshd_config.d/broken/mikaela-prohibit-password.conf b/etc/ssh/sshd_config.d/broken/mikaela-prohibit-password.conf index 59a7dc40..0d0b8aa4 100644 --- a/etc/ssh/sshd_config.d/broken/mikaela-prohibit-password.conf +++ b/etc/ssh/sshd_config.d/broken/mikaela-prohibit-password.conf @@ -2,6 +2,6 @@ # in reverse so this file is useless. https://serverfault.com/a/461865 # & OpenSSH_8.4p1 Match User mikaela - PasswordAuthentication no - AuthenticationMethods publickey + PasswordAuthentication no + AuthenticationMethods publickey Match All diff --git a/etc/ssh/sshd_config.d/user-permit-password.conf b/etc/ssh/sshd_config.d/user-permit-password.conf index 7e4b7b80..b3bba960 100644 --- a/etc/ssh/sshd_config.d/user-permit-password.conf +++ b/etc/ssh/sshd_config.d/user-permit-password.conf @@ -6,6 +6,6 @@ # https://serverfault.com/a/461865 OpenSSH_8.4p1 #Match User someone,somebodyelse,whoever -# PasswordAuthentication yes -# AuthenticationMethods any +# PasswordAuthentication yes +# AuthenticationMethods any #Match All diff --git a/etc/systemd/resolved.conf.d/README.md b/etc/systemd/resolved.conf.d/README.md index 16e9c781..b5758592 100644 --- a/etc/systemd/resolved.conf.d/README.md +++ b/etc/systemd/resolved.conf.d/README.md @@ -12,31 +12,31 @@ sudo systemctl restart systemd-resolved ## Files explained - `00-defaults.conf` - configuration not touching resolvers. Disables DNSSEC (as - systemd-resolved doesn't handle it properly), enables opportunistic DoT and - caching. + systemd-resolved doesn't handle it properly), enables opportunistic DoT and + caching. - `dot-*.conf` - configuration to use the DNS provider with DNS-over-TLS. If - captive portals are a concern, `DNSOverTLS=no`. + captive portals are a concern, `DNSOverTLS=no`. - `README.md` - you are reading it right now. ## General commentary - Based on my test DNSOverTLS is not supported in Ubuntu 18.04.x LTS (however - at the time of writing this README.md, the current version is Ubuntu 20.04.0) - (systemd v237). DNSOverTLS became supported in v239, strict mode (yes) in - v243 (big improvements in v244). - - TODO: find out when SNI became supported, I have just spotted it in the - fine manual in 2020-06-??. + at the time of writing this README.md, the current version is Ubuntu 20.04.0) + (systemd v237). DNSOverTLS became supported in v239, strict mode (yes) in + v243 (big improvements in v244). + - TODO: find out when SNI became supported, I have just spotted it in the + fine manual in 2020-06-??. - Domains has to be `.~` for them to override DHCP. See https://www.internetsociety.org/blog/2018/12/dns-privacy-in-linux-systemd - without which I wouldn't have got this right. + without which I wouldn't have got this right. - DNSSEC may not work if the system is down for a long time and not updated. - Thus `allow-downgrade` may be better for non-tech people, even with the - potential downgrade attack. There are also captive portals, affecting - `DNSOverTLS`. Both take `yes` or `no` or their own special option, - for DNNSEC the `allow-downgrade`, for DNSOverTLS `opportunistic`. + Thus `allow-downgrade` may be better for non-tech people, even with the + potential downgrade attack. There are also captive portals, affecting + `DNSOverTLS`. Both take `yes` or `no` or their own special option, + for DNNSEC the `allow-downgrade`, for DNSOverTLS `opportunistic`. Other links I have found important and my files are based on: - https://wiki.archlinux.org/index.php/Systemd-resolved - - Also provides the serious issues systemd-resolved+DNSSEC issues, https://github.com/systemd/systemd/issues/10579 & https://github.com/systemd/systemd/issues/9867 + - Also provides the serious issues systemd-resolved+DNSSEC issues, https://github.com/systemd/systemd/issues/10579 & https://github.com/systemd/systemd/issues/9867 - request for strict DOT: https://github.com/systemd/systemd/issues/10755 - vulnerable to MITM: https://github.com/systemd/systemd/issues/9397 diff --git a/etc/systemd/system/README.md b/etc/systemd/system/README.md index a28c3b8d..a5949cb5 100644 --- a/etc/systemd/system/README.md +++ b/etc/systemd/system/README.md @@ -4,12 +4,12 @@ subdirectories. The sudirectories won't exist in the real and I forget to update this README file if that happens. - reflector.service is copied from https://wiki.archlinux.org/index.php/Reflector - but uses https instead of http, because there is no reason I would want - someone to see what I download. + but uses https instead of http, because there is no reason I would want + someone to see what I download. ## Worth reading - Waiting for network devices to have IP address (**I only use this for - cables**) https://wiki.freedesktop.org/www/Software/systemd/NetworkTarget/#cutthecraphowdoimakenetwork.targetworkforme - _ systemctl enable NetworkManager-wait-online.service - _ systemctl enable systemd-networkd-wait-online.service + cables**) https://wiki.freedesktop.org/www/Software/systemd/NetworkTarget/#cutthecraphowdoimakenetwork.targetworkforme + _ systemctl enable NetworkManager-wait-online.service + _ systemctl enable systemd-networkd-wait-online.service diff --git a/etc/systemd/system/sailfish/README.md b/etc/systemd/system/sailfish/README.md index 75114e4c..55cfe471 100644 --- a/etc/systemd/system/sailfish/README.md +++ b/etc/systemd/system/sailfish/README.md @@ -3,4 +3,4 @@ Sailfish OS. It doesn't have cron, so I tried the nearest equivalent that is there out-of-box, systemd timers. - aliendalvik-stopper again stops android support hourly so it won't waste - battery. + battery. diff --git a/etc/unbound/unbound.conf.d/00-insecure-domains.conf b/etc/unbound/unbound.conf.d/00-insecure-domains.conf index 3b0bf4f9..b52b7026 100644 --- a/etc/unbound/unbound.conf.d/00-insecure-domains.conf +++ b/etc/unbound/unbound.conf.d/00-insecure-domains.conf @@ -7,17 +7,17 @@ server: forward-zone: - name: "mywifiext.net" - forward-tls-upstream: no - forward-addr: 8.8.8.8 + name: "mywifiext.net" + forward-tls-upstream: no + forward-addr: 8.8.8.8 forward-zone: - name: "tplinkrepeater.net" - forward-tls-upstream: no - forward-addr: 8.8.8.8 + name: "tplinkrepeater.net" + forward-tls-upstream: no + forward-addr: 8.8.8.8 # Can I refer to subdomain as a zone? forward-zone: - name: "http.badssl.com" - forward-tls-upstream: no - forward-addr: 8.8.8.8 + name: "http.badssl.com" + forward-tls-upstream: no + forward-addr: 8.8.8.8 diff --git a/etc/unbound/unbound.conf.d/cache.conf b/etc/unbound/unbound.conf.d/cache.conf index c4c120d9..0e9b6a3c 100644 --- a/etc/unbound/unbound.conf.d/cache.conf +++ b/etc/unbound/unbound.conf.d/cache.conf @@ -4,14 +4,14 @@ # See also MEMORY CONTROL EXAMPLE in man unbound.conf server: - # bytes in message cache, defaults to 4m - msg-cache-size: 50m - # bytes in rrset cache, defaults to 4m - rrset-cache-size: 50m - # nxdomain cache, default 1m - neg-cache-size: 10m - # Cache results for 15 minutes even if they had a shorter TTL. Cloudflare - # zone export used to have 1 second, and I have also been seeing 1 - # minute in the wild, I think 5 mins shouldn't break anything, but bigger - # might. - cache-min-ttl: 900 + # bytes in message cache, defaults to 4m + msg-cache-size: 50m + # bytes in rrset cache, defaults to 4m + rrset-cache-size: 50m + # nxdomain cache, default 1m + neg-cache-size: 10m + # Cache results for 15 minutes even if they had a shorter TTL. Cloudflare + # zone export used to have 1 second, and I have also been seeing 1 + # minute in the wild, I think 5 mins shouldn't break anything, but bigger + # might. + cache-min-ttl: 900 diff --git a/etc/unbound/unbound.conf.d/dns-over-tls.conf b/etc/unbound/unbound.conf.d/dns-over-tls.conf index d0511bda..9f429d47 100644 --- a/etc/unbound/unbound.conf.d/dns-over-tls.conf +++ b/etc/unbound/unbound.conf.d/dns-over-tls.conf @@ -7,10 +7,10 @@ # root-auto-trust-anchor-file.conf at least on Debian. server: - # Debian ca-certificates location - tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt - # Fedora location - #tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem + # Debian ca-certificates location + tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt + # Fedora location + #tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem # Hopefully a reasonable set of non-filtering servers including those # listening on 443, preferably Anycast, but not necessarily. @@ -21,37 +21,37 @@ server: # (Also I cannot rename this file due to it being linked around)) forward-zone: - name: "." - forward-tls-upstream: yes + name: "." + forward-tls-upstream: yes - # Quad9 - Anycast, Switzerland based - # Non filtering "insecure" servers without DNSSEC, but that is done - # by Unbound locally anyway. - forward-addr: 2620:fe::fe:10@853#dns10.quad9.net - forward-addr: 9.9.9.10@853#dns10.quad9.net - forward-addr: 2620:fe::10@853#dns10.quad9.net - forward-addr: 149.112.112.10@853#dns10.quad9.net + # Quad9 - Anycast, Switzerland based + # Non filtering "insecure" servers without DNSSEC, but that is done + # by Unbound locally anyway. + forward-addr: 2620:fe::fe:10@853#dns10.quad9.net + forward-addr: 9.9.9.10@853#dns10.quad9.net + forward-addr: 2620:fe::10@853#dns10.quad9.net + forward-addr: 149.112.112.10@853#dns10.quad9.net - # Cloudflare DNS - anycast - forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com - forward-addr: 1.1.1.1@853#cloudflare-dns.com - forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com - forward-addr: 1.0.0.1@853#cloudflare-dns.com + # Cloudflare DNS - anycast + forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com + forward-addr: 1.1.1.1@853#cloudflare-dns.com + forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com + forward-addr: 1.0.0.1@853#cloudflare-dns.com - ## DNS-over-TLS on port 443, no filtering. Mainly useful for traveling - ## laptops? - # https://appliedprivacy.net/services/dns/ - Vienna, Austria - #forward-addr: 2a02:1b8:10:234::2@443#dot1.applied-privacy.net - #forward-addr: 146.255.56.98@443#dot1.applied-privacy.net + ## DNS-over-TLS on port 443, no filtering. Mainly useful for traveling + ## laptops? + # https://appliedprivacy.net/services/dns/ - Vienna, Austria + #forward-addr: 2a02:1b8:10:234::2@443#dot1.applied-privacy.net + #forward-addr: 146.255.56.98@443#dot1.applied-privacy.net - # Adguard DNS Unfiltered Anycast - forward-addr: 2a10:50c0::1:ff@853#dns-unfiltered.adguard.com - forward-addr: 2a10:50c0::2:ff@853#dns-unfiltered.adguard.com - forward-addr: 94.140.14.140@853#dns-unfiltered.adguard.com - forward-addr: 94.140.14.141@853#dns-unfiltered.adguard.com + # Adguard DNS Unfiltered Anycast + forward-addr: 2a10:50c0::1:ff@853#dns-unfiltered.adguard.com + forward-addr: 2a10:50c0::2:ff@853#dns-unfiltered.adguard.com + forward-addr: 94.140.14.140@853#dns-unfiltered.adguard.com + forward-addr: 94.140.14.141@853#dns-unfiltered.adguard.com - # NextDNS - anycast - forward-addr: 45.90.28.0@853#dns1.nextdns.io - forward-addr: 2a07:a8c0::@853#dns1.nextdns.io - forward-addr: 45.90.30.0@853#dns2.nextdns.io - forward-addr: 2a07:a8c1::@853#dns2.nextdns.io + # NextDNS - anycast + forward-addr: 45.90.28.0@853#dns1.nextdns.io + forward-addr: 2a07:a8c0::@853#dns1.nextdns.io + forward-addr: 45.90.30.0@853#dns2.nextdns.io + forward-addr: 2a07:a8c1::@853#dns2.nextdns.io diff --git a/etc/unbound/unbound.conf.d/dns64-over-tls.conf b/etc/unbound/unbound.conf.d/dns64-over-tls.conf index 6f4609eb..e59496ce 100644 --- a/etc/unbound/unbound.conf.d/dns64-over-tls.conf +++ b/etc/unbound/unbound.conf.d/dns64-over-tls.conf @@ -2,23 +2,23 @@ # are currently rare. And this is more of a placeholder. server: - # Debian ca-certificates location - tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt - # ctrl.blog says this is the Fedora location - #tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem + # Debian ca-certificates location + tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt + # ctrl.blog says this is the Fedora location + #tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem # Forward queries to forward-zone: - name: "." - forward-tls-upstream: yes + name: "." + forward-tls-upstream: yes - # Google DNS64 for 64:ff9b::/96 - # As of 2019-08-25 this doesn't seem to actually be working, but I hope - # Google will fix it by the time I actually have IPv6 only hosts and - # there will be not-Google options. - #forward-addr: 2001:4860:4860::6464@853#dns64.dns.google - #forward-addr: 2001:4860:4860::64@853#dns64.dns.google + # Google DNS64 for 64:ff9b::/96 + # As of 2019-08-25 this doesn't seem to actually be working, but I hope + # Google will fix it by the time I actually have IPv6 only hosts and + # there will be not-Google options. + #forward-addr: 2001:4860:4860::6464@853#dns64.dns.google + #forward-addr: 2001:4860:4860::64@853#dns64.dns.google - # Cloudflare for 64:ff9b::/96 - forward-addr: 2606:4700:4700::64@853#dns64.cloudflare-dns.com - forward-addr: 2606:4700:4700::6400@853#dns64.cloudflare-dns.com + # Cloudflare for 64:ff9b::/96 + forward-addr: 2606:4700:4700::64@853#dns64.cloudflare-dns.com + forward-addr: 2606:4700:4700::6400@853#dns64.cloudflare-dns.com diff --git a/etc/unbound/unbound.conf.d/dnscrypt-proxy.conf b/etc/unbound/unbound.conf.d/dnscrypt-proxy.conf index 4ef680f2..57768c24 100644 --- a/etc/unbound/unbound.conf.d/dnscrypt-proxy.conf +++ b/etc/unbound/unbound.conf.d/dnscrypt-proxy.conf @@ -1,5 +1,5 @@ # From https://wiki.archlinux.org/index.php/DNSCrypt do-not-query-localhost: no forward-zone: - name: "." - forward-addr: 127.0.2.1@53 + name: "." + forward-addr: 127.0.2.1@53 diff --git a/etc/unbound/unbound.conf.d/dot-adguard.conf b/etc/unbound/unbound.conf.d/dot-adguard.conf index 442868b0..224d1704 100644 --- a/etc/unbound/unbound.conf.d/dot-adguard.conf +++ b/etc/unbound/unbound.conf.d/dot-adguard.conf @@ -1,15 +1,15 @@ server: - # Debian ca-certificates location - tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt - # ctrl.blog says this is the Fedora location - #tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem + # Debian ca-certificates location + tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt + # ctrl.blog says this is the Fedora location + #tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem forward-zone: - name: "." - forward-tls-upstream: yes - forward-addr: 2a10:50c0::ad1:ff@853#dns.adguard.com - forward-addr: 94.140.14.14@853#dns.adguard.com - forward-addr: 2a10:50c0::ad2:ff@853#dns.adguard.com - forward-addr: 94.140.15.15@853#dns.adguard.com + name: "." + forward-tls-upstream: yes + forward-addr: 2a10:50c0::ad1:ff@853#dns.adguard.com + forward-addr: 94.140.14.14@853#dns.adguard.com + forward-addr: 2a10:50c0::ad2:ff@853#dns.adguard.com + forward-addr: 94.140.15.15@853#dns.adguard.com # Updated for https://adguard.com/en/blog/adguard-dns-new-addresses.html diff --git a/etc/unbound/unbound.conf.d/dot-fluhable-cache.conf b/etc/unbound/unbound.conf.d/dot-fluhable-cache.conf index 99773e52..01ea3e57 100644 --- a/etc/unbound/unbound.conf.d/dot-fluhable-cache.conf +++ b/etc/unbound/unbound.conf.d/dot-fluhable-cache.conf @@ -2,25 +2,25 @@ # Based on https://www.ctrl.blog/entry/unbound-tls-forwarding.html server: - # Debian ca-certificates location - tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt - # Fedora location - #tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem + # Debian ca-certificates location + tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt + # Fedora location + #tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem # DNS servers that have public button for flushing cache. Privacy not considered. forward-zone: - name: "." - forward-tls-upstream: yes + name: "." + forward-tls-upstream: yes - # Cloudflare / https://1.1.1.1/purge-cache/ - forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com - forward-addr: 1.1.1.1@853#cloudflare-dns.com - forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com - forward-addr: 1.0.0.1@853#cloudflare-dns.com + # Cloudflare / https://1.1.1.1/purge-cache/ + forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com + forward-addr: 1.1.1.1@853#cloudflare-dns.com + forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com + forward-addr: 1.0.0.1@853#cloudflare-dns.com - # Google / https://dns.google/cache - forward-addr: 8.8.8.8@853#dns.google - forward-addr: 8.8.4.4@853#dns.google - forward-addr: 2001:4860:4860::8888@853#dns.google - forward-addr: 2001:4860:4860::8844@853#dns.google + # Google / https://dns.google/cache + forward-addr: 8.8.8.8@853#dns.google + forward-addr: 8.8.4.4@853#dns.google + forward-addr: 2001:4860:4860::8888@853#dns.google + forward-addr: 2001:4860:4860::8844@853#dns.google diff --git a/etc/unbound/unbound.conf.d/dot-mullvad-adblock.conf b/etc/unbound/unbound.conf.d/dot-mullvad-adblock.conf index d9fc117f..45ded4bb 100644 --- a/etc/unbound/unbound.conf.d/dot-mullvad-adblock.conf +++ b/etc/unbound/unbound.conf.d/dot-mullvad-adblock.conf @@ -1,12 +1,12 @@ server: - # Debian ca-certificates location - tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt - # ctrl.blog says this is the Fedora location - #tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem + # Debian ca-certificates location + tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt + # ctrl.blog says this is the Fedora location + #tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem forward-zone: - name: "." - forward-tls-upstream: yes - forward-addr: 2a07:e340::3@853#adblock.doh.mullvad.net - forward-addr: 194.242.2.3@853#adblock.doh.mullvad.net - forward-addr: 193.19.108.3@853#adblock.doh.mullvad.net + name: "." + forward-tls-upstream: yes + forward-addr: 2a07:e340::3@853#adblock.doh.mullvad.net + forward-addr: 194.242.2.3@853#adblock.doh.mullvad.net + forward-addr: 193.19.108.3@853#adblock.doh.mullvad.net diff --git a/etc/unbound/unbound.conf.d/dot-mullvad.conf b/etc/unbound/unbound.conf.d/dot-mullvad.conf index cb256cff..24384a6e 100644 --- a/etc/unbound/unbound.conf.d/dot-mullvad.conf +++ b/etc/unbound/unbound.conf.d/dot-mullvad.conf @@ -1,12 +1,12 @@ server: - # Debian ca-certificates location - tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt - # ctrl.blog says this is the Fedora location - #tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem + # Debian ca-certificates location + tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt + # ctrl.blog says this is the Fedora location + #tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem forward-zone: - name: "." - forward-tls-upstream: yes - forward-addr: 2a07:e340::2@853#doh.mullvad.net - forward-addr: 194.242.2.2@853#doh.mullvad.net - forward-addr: 193.19.108.2@853#doh.mullvad.net + name: "." + forward-tls-upstream: yes + forward-addr: 2a07:e340::2@853#doh.mullvad.net + forward-addr: 194.242.2.2@853#doh.mullvad.net + forward-addr: 193.19.108.2@853#doh.mullvad.net diff --git a/etc/unbound/unbound.conf.d/dot-quad9-ecs.conf b/etc/unbound/unbound.conf.d/dot-quad9-ecs.conf index 1b3557d4..ad2c58d8 100644 --- a/etc/unbound/unbound.conf.d/dot-quad9-ecs.conf +++ b/etc/unbound/unbound.conf.d/dot-quad9-ecs.conf @@ -1,13 +1,13 @@ server: - # Debian ca-certificates location - tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt - # ctrl.blog says this is the Fedora location - #tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem + # Debian ca-certificates location + tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt + # ctrl.blog says this is the Fedora location + #tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem forward-zone: - name: "." - forward-tls-upstream: yes - forward-addr: 2620:fe::fe:11@853#dns11.quad9.net - forward-addr: 9.9.9.11@853#dns11.quad9.net - forward-addr: 2620:fe::11@853#dns11.quad9.net - forward-addr: 149.112.112.11@853#dns11.quad9.net + name: "." + forward-tls-upstream: yes + forward-addr: 2620:fe::fe:11@853#dns11.quad9.net + forward-addr: 9.9.9.11@853#dns11.quad9.net + forward-addr: 2620:fe::11@853#dns11.quad9.net + forward-addr: 149.112.112.11@853#dns11.quad9.net diff --git a/etc/unbound/unbound.conf.d/dot-quad9.conf b/etc/unbound/unbound.conf.d/dot-quad9.conf index 8fad238f..f2f50926 100644 --- a/etc/unbound/unbound.conf.d/dot-quad9.conf +++ b/etc/unbound/unbound.conf.d/dot-quad9.conf @@ -1,13 +1,13 @@ server: - # Debian ca-certificates location - tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt - # ctrl.blog says this is the Fedora location - #tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem + # Debian ca-certificates location + tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt + # ctrl.blog says this is the Fedora location + #tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem forward-zone: - name: "." - forward-tls-upstream: yes - forward-addr: 2620:fe::fe@853#dns.quad9.net - forward-addr: 9.9.9.9@853#dns.quad9.net - forward-addr: 2620:fe::9@853#dns.quad9.net - forward-addr: 149.112.112.112@853#dns.quad9.net + name: "." + forward-tls-upstream: yes + forward-addr: 2620:fe::fe@853#dns.quad9.net + forward-addr: 9.9.9.9@853#dns.quad9.net + forward-addr: 2620:fe::9@853#dns.quad9.net + forward-addr: 149.112.112.112@853#dns.quad9.net diff --git a/etc/unbound/unbound.conf.d/ipv6.conf b/etc/unbound/unbound.conf.d/ipv6.conf index e97944d8..e141a16a 100644 --- a/etc/unbound/unbound.conf.d/ipv6.conf +++ b/etc/unbound/unbound.conf.d/ipv6.conf @@ -1,3 +1,3 @@ server: - # Prefer IPv6 transport for sending DNS queries to internet nameservers. - prefer-ip6: yes + # Prefer IPv6 transport for sending DNS queries to internet nameservers. + prefer-ip6: yes diff --git a/etc/unbound/unbound.conf.d/logging.conf b/etc/unbound/unbound.conf.d/logging.conf index 3209328d..0fb8d3e8 100644 --- a/etc/unbound/unbound.conf.d/logging.conf +++ b/etc/unbound/unbound.conf.d/logging.conf @@ -1,10 +1,10 @@ server: - use-syslog: yes - #logfile: "/tmp/unbound.log" - # level 0 means no verbosity, only errors. Level 1 gives operational - # information. Level 2 gives detailed operational information. Level 3 - # gives query level information, output per query. Level 4 gives - # algorithm level information. - verbosity: 2 - # Print statistics to the log hourly - statistics-interval: 3600 + use-syslog: yes + #logfile: "/tmp/unbound.log" + # level 0 means no verbosity, only errors. Level 1 gives operational + # information. Level 2 gives detailed operational information. Level 3 + # gives query level information, output per query. Level 4 gives + # algorithm level information. + verbosity: 2 + # Print statistics to the log hourly + statistics-interval: 3600 diff --git a/etc/unbound/unbound.conf.d/plain-dns64.conf b/etc/unbound/unbound.conf.d/plain-dns64.conf index edc1560b..386be04c 100644 --- a/etc/unbound/unbound.conf.d/plain-dns64.conf +++ b/etc/unbound/unbound.conf.d/plain-dns64.conf @@ -2,19 +2,19 @@ # Check dns64-over-tls.conf instead! forward-zone: - name: "." + name: "." - # Cloudflare DNS64 for 64:ff9b::/96 - forward-addr: 2606:4700:4700::64 - forward-addr: 2606:4700:4700::6400 + # Cloudflare DNS64 for 64:ff9b::/96 + forward-addr: 2606:4700:4700::64 + forward-addr: 2606:4700:4700::6400 - # Trex DNS64/NAT64 - # > The generated AAAA records point to address blocks in TREX's public - # address space 2001:67c:2b0::/48 so they are usable from anywhere on - # the Internet. - forward-addr: 2001:67c:2b0::4 - forward-addr: 2001:67c:2b0::6 + # Trex DNS64/NAT64 + # > The generated AAAA records point to address blocks in TREX's public + # address space 2001:67c:2b0::/48 so they are usable from anywhere on + # the Internet. + forward-addr: 2001:67c:2b0::4 + forward-addr: 2001:67c:2b0::6 - # Google DNS64 for 64:ff9b::/96 (reserved NAT64 space) - #forward-addr: 2001:4860:4860::6464 - #forward-addr: 2001:4860:4860::64 + # Google DNS64 for 64:ff9b::/96 (reserved NAT64 space) + #forward-addr: 2001:4860:4860::6464 + #forward-addr: 2001:4860:4860::64 diff --git a/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf b/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf index 48f635b1..ca87b062 100644 --- a/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf +++ b/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf @@ -1,6 +1,6 @@ # This is another Debian default, that I may be missing under Arch, even # if the location changes. server: - # The following line will configure unbound to perform cryptographic - # DNSSEC validation using the root trust anchor. - auto-trust-anchor-file: "/var/lib/unbound/root.key" + # The following line will configure unbound to perform cryptographic + # DNSSEC validation using the root trust anchor. + auto-trust-anchor-file: "/var/lib/unbound/root.key" diff --git a/etc/unbound/unbound.conf.d/threads.conf b/etc/unbound/unbound.conf.d/threads.conf index 10374b48..ca232d08 100644 --- a/etc/unbound/unbound.conf.d/threads.conf +++ b/etc/unbound/unbound.conf.d/threads.conf @@ -1,4 +1,4 @@ server: - # Use two threads, I think more than 1 threads will help with Firefox - # at times telling name resolution failed - num-threads: 2 + # Use two threads, I think more than 1 threads will help with Firefox + # at times telling name resolution failed + num-threads: 2 diff --git a/gpg/gpg.conf b/gpg/gpg.conf index 3cbbf8a9..9db717f5 100644 --- a/gpg/gpg.conf +++ b/gpg/gpg.conf @@ -5,7 +5,7 @@ # This file is free software; as a special exception the author gives # unlimited permission to copy and/or distribute it, with or without # modifications, as long as this notice is preserved. -# +# # This file is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY, to the extent permitted by law; without even the # implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. diff --git a/install b/install index e0bbb336..763b8877 100755 --- a/install +++ b/install @@ -18,7 +18,7 @@ cat conf/makepkg.conf > ~/.makepkg.conf mkdir -p ~/.config/mpv/ cat conf/mpv.conf > ~/.config/mpv/mpv.conf if [ ! -f ~/.oidentd.conf ]; then - cat conf/oidentd.conf > ~/.oidentd.conf + cat conf/oidentd.conf > ~/.oidentd.conf fi mkdir -p ~/.gnupg cat gpg/gpg.conf > ~/.gnupg/gpg.conf @@ -37,12 +37,12 @@ bash -x ./chmod& if [ -f $HOME/.MIKAELAGREP ] then - mv $HOME/.MIKAELAGREP $MIKAELA_GREP + mv $HOME/.MIKAELAGREP $MIKAELA_GREP fi if [ -f "$MIKAELA_GREP" ] then - bash -x .mikaela_install + bash -x .mikaela_install fi set +x diff --git a/rc/bashrc b/rc/bashrc index 29124965..4f7a973c 100644 --- a/rc/bashrc +++ b/rc/bashrc @@ -108,7 +108,7 @@ if [[ $UNAME = Darwin ]]; then alias l="ls -CFGp" fi -# Add an "alert" alias for long running commands. Use like so: +# Add an "alert" alias for long running commands. Use like so: # sleep 10; alert alias alert='notify-send --urgency=low -i "$([ $? = 0 ] && echo terminal || echo error)" "$(history|tail -n1|sed -e '\''s/^\s*[0-9]\+\s*//;s/[;&|]\s*alert$//'\'')"' @@ -276,7 +276,7 @@ alias nmap-quick-plus="sudo nmap -sV -T4 -O -F --version-light " alias nmap-traceroute="sudo nmap -sP -PE -PS22,25,80 -PA21,23,80,3389 -PU -PO --traceroute " alias nmap-regular="nmap " alias nmap-comprehensive="sudo nmap -sS -sU -T4 -A -v -PE -PP -PS21,22,23,25,80,113,31339 -PA80,113,443,10042 -PO --script all " -# Little "safer" scan as connecting to only HTTP and HTTPS ports doesn't look so attacking. Copy-paste to .bash_custom and remove " -p 80,443" if you want to scan all ports which nmap scans by default. +# Little "safer" scan as connecting to only HTTP and HTTPS ports doesn't look so attacking. Copy-paste to .bash_custom and remove " -p 80,443" if you want to scan all ports which nmap scans by default. alias nmap-osscan="sudo nmap -p 80,443 -O -v --osscan-guess --fuzzy " # Downloads folder over SSH. Usage: rdownload : | TIP: use ~/ssh/config to configure hosts. @@ -530,7 +530,7 @@ alias mpvms="mpv --no-video --shuffle" # Compatibility with my i3 alsactl mess if [ -f ~/.config/asound.state ] then - alias alsactl="\alsactl -f ~/.config/asound.state" + alias alsactl="\alsactl -f ~/.config/asound.state" fi # More simple SSH file signing, ~/.ssh/signingkey.pub should be a symlink @@ -573,26 +573,26 @@ function ex () { if [ -f "$1" ] ; then case "$1" in - *.tar) tar xvf $1 ;; - *.tar.bz2 | *.tbz2 ) tar xjvf $1 ;; - *.tar.gz | *.tgz ) tar xzvf $1 ;; - *.bz2) bunzip2 $1 ;; - *.rar) unrar x $1 ;; - *.gz) gunzip $1 ;; - *.zip) unzip $1 ;; - *.Z) uncompress $1 ;; - *.7z) 7z x $1 ;; - *.xz) tar xJvf $1 ;; - *.deb) - DIR=${1%%_*.deb} - ar xv $1 - mkdir ${DIR} - tar -C ${DIR} -xzvf data.tar.gz ;; - *.rpm) rpm2cpio $1 | cpio -vid ;; - *) echo ""${1}" cannot be extracted via extract()" + *.tar) tar xvf $1 ;; + *.tar.bz2 | *.tbz2 ) tar xjvf $1 ;; + *.tar.gz | *.tgz ) tar xzvf $1 ;; + *.bz2) bunzip2 $1 ;; + *.rar) unrar x $1 ;; + *.gz) gunzip $1 ;; + *.zip) unzip $1 ;; + *.Z) uncompress $1 ;; + *.7z) 7z x $1 ;; + *.xz) tar xJvf $1 ;; + *.deb) + DIR=${1%%_*.deb} + ar xv $1 + mkdir ${DIR} + tar -C ${DIR} -xzvf data.tar.gz ;; + *.rpm) rpm2cpio $1 | cpio -vid ;; + *) echo ""${1}" cannot be extracted via extract()" ;; esac - else +else echo ""${1}" is not a valid file" fi } diff --git a/rc/vimrc b/rc/vimrc index 97ffeb8a..a56f1e55 100644 --- a/rc/vimrc +++ b/rc/vimrc @@ -79,9 +79,9 @@ filetype plugin indent on " Return to last edit position when opening files (You want this!) autocmd BufReadPost * - \ if line("'\"") > 0 && line("'\"") <= line("$") | - \ exe "normal! g`\"" | - \ endif + \ if line("'\"") > 0 && line("'\"") <= line("$") | + \ exe "normal! g`\"" | + \ endif " I think leaving line endings to git may be more safe " dos2unix ^M copied from https://stackoverflow.com/a/5361702/1675649 diff --git a/rc/zshrc b/rc/zshrc index 64abe7fc..ebb9fbbc 100644 --- a/rc/zshrc +++ b/rc/zshrc @@ -11,20 +11,20 @@ UNAME=$(uname) # Dynamic window title via https://stackoverflow.com/a/20772424 ## BREAKS TMUX TITLE CHANGING WHICH IS BETTER THAN THIS. #case $TERM in -# (*xterm* | *rxvt*) +# (*xterm* | *rxvt*) # Write some info to terminal title. # This is seen when the shell prompts for input. # function precmd { -# print -Pn "\e]0;zsh%L %(1j,%j job%(2j|s|); ,)%~\a" +# print -Pn "\e]0;zsh%L %(1j,%j job%(2j|s|); ,)%~\a" # } # Write command and args to terminal title. # This is seen while the shell waits for a command to complete. # function preexec { -# printf "\033]0;%s\a" "$1" +# printf "\033]0;%s\a" "$1" # } # -# ;; +#;; #esac # enable terminal bell @@ -232,7 +232,7 @@ alias nmap-quick-plus="sudo nmap -sV -T4 -O -F --version-light " alias nmap-traceroute="sudo nmap -sP -PE -PS22,25,80 -PA21,23,80,3389 -PU -PO --traceroute " alias nmap-regular="nmap " alias nmap-comprehensive="sudo nmap -sS -sU -T4 -A -v -PE -PP -PS21,22,23,25,80,113,31339 -PA80,113,443,10042 -PO --script all " -# Little "safer" scan as connecting to only HTTP and HTTPS ports doesn't look so attacking. Copy-paste to .zsh_custom and remove " -p 80,443" if you want to scan all ports which nmap scans by default. +# Little "safer" scan as connecting to only HTTP and HTTPS ports doesn't look so attacking. Copy-paste to .zsh_custom and remove" -p 80,443" if you want to scan all ports which nmap scans by default. alias nmap-osscan="sudo nmap -p 80,443 -O -v --osscan-guess --fuzzy " # Downloads folder over SSH. Usage: rdownload : | TIP: use ~/ssh/config to configure hosts. @@ -281,7 +281,7 @@ if [[ $UNAME = Darwin ]]; then alias l="ls -CFGp" fi -# Add an "alert" alias for long running commands. Use like so: +# Add an "alert" alias for long running commands. Use like so: alias alert='notify-send --urgency=low -i "$([ $? = 0 ] && echo terminal || echo error)" "$(history|tail -n1|sed -e '\''s/^\s*[0-9]\+\s*//;s/[;&|]\s*alert$//'\'')"' ## -- End of aliases which are saved from Ubuntu default bashrc. -- @@ -507,7 +507,7 @@ alias mpvms="mpv --no-video --shuffle" # Compatibility with my i3 alsactl mess if [ -f ~/.config/asound.state ] then - alias alsactl="\alsactl -f ~/.config/asound.state" + alias alsactl="\alsactl -f ~/.config/asound.state" fi # More simple SSH file signing, ~/.ssh/signingkey.pub should be a symlink @@ -550,26 +550,26 @@ function ex () { if [ -f "$1" ] ; then case "$1" in - *.tar) tar xvf $1 ;; - *.tar.bz2 | *.tbz2 ) tar xjvf $1 ;; - *.tar.gz | *.tgz ) tar xzvf $1 ;; - *.bz2) bunzip2 $1 ;; - *.rar) unrar x $1 ;; - *.gz) gunzip $1 ;; - *.zip) unzip $1 ;; - *.Z) uncompress $1 ;; - *.7z) 7z x $1 ;; - *.xz) tar xJvf $1 ;; - *.deb) - DIR=${1%%_*.deb} - ar xv $1 - mkdir ${DIR} - tar -C ${DIR} -xzvf data.tar.gz ;; - *.rpm) rpm2cpio $1 | cpio -vid ;; - *) echo ""${1}" cannot be extracted via extract()" + *.tar) tar xvf $1 ;; + *.tar.bz2 | *.tbz2 ) tar xjvf $1 ;; + *.tar.gz | *.tgz ) tar xzvf $1 ;; + *.bz2) bunzip2 $1 ;; + *.rar) unrar x $1 ;; + *.gz) gunzip $1 ;; + *.zip) unzip $1 ;; + *.Z) uncompress $1 ;; + *.7z) 7z x $1 ;; + *.xz) tar xJvf $1 ;; + *.deb) + DIR=${1%%_*.deb} + ar xv $1 + mkdir ${DIR} + tar -C ${DIR} -xzvf data.tar.gz ;; + *.rpm) rpm2cpio $1 | cpio -vid ;; + *) echo ""${1}" cannot be extracted via extract()" ;; esac - else + else echo ""${1}" is not a valid file" fi } diff --git a/var/lib/iwd/README.md b/var/lib/iwd/README.md index 5bf2c5f3..a9849a6e 100644 --- a/var/lib/iwd/README.md +++ b/var/lib/iwd/README.md @@ -6,14 +6,14 @@ NetworkManager. Notes: - `git commit`ing the same SSID with different capitalisations breaks - Windows and more common macOS setups due to their filesystems being - case-insensitive. + Windows and more common macOS setups due to their filesystems being + case-insensitive. - `Settings.AutoConnect=true` is unnecessary as it defaults to true - according to `man iwd.network`. + according to `man iwd.network`. - `IPv6.Enabled=true` defauls to true being also unnecessary. - `private-home-sample.psk` has a comment on MAC address override and sends - hostname with IPv4 DHCP. `private-cafe-sample.psk` always randomizes MAC - address and doesn't send hostname. + hostname with IPv4 DHCP. `private-cafe-sample.psk` always randomizes MAC + address and doesn't send hostname. - The `.open` networks always randomize MAC address too. If a network is - private and needs MAC address for captive portal override or something, - `private-home-sample.psk` should be adjusted from. + private and needs MAC address for captive portal override or something, + `private-home-sample.psk` should be adjusted from.