mirror of
https://gitea.blesmrt.net/mikaela/shell-things.git
synced 2024-12-21 18:22:50 +01:00
fix .prettierrc & run prettier again
This commit is contained in:
parent
3027652652
commit
447dcfdf08
2
.github/CODEOWNERS
vendored
2
.github/CODEOWNERS
vendored
@ -1 +1 @@
|
||||
* @Mikaela
|
||||
* @Mikaela
|
||||
|
@ -1,3 +1,5 @@
|
||||
# @format
|
||||
|
||||
# Based on https://pre-commit.com
|
||||
image: python:alpine
|
||||
gitlab-ci-pre-commit:
|
||||
|
@ -13,11 +13,11 @@
|
||||
{ "files": ".prettierrc", "options": { "parser": "json" } },
|
||||
{
|
||||
"files": "conf/librewolf.overrides.cfg",
|
||||
"options": { "parser": ".js" }
|
||||
"options": { "parser": "babel" }
|
||||
},
|
||||
{
|
||||
"files": "conf/autoconfig.js.online",
|
||||
"options": { "parser": ".js" }
|
||||
"options": { "parser": "babel" }
|
||||
}
|
||||
]
|
||||
}
|
||||
|
@ -1,3 +1,5 @@
|
||||
<!-- @format -->
|
||||
|
||||
Config files that I wish to have everywhere. You could probably call this
|
||||
repository as dotfiles, but historical reasons...
|
||||
|
||||
|
@ -1,10 +1,12 @@
|
||||
<!-- @format -->
|
||||
|
||||
# DNS over HTTPS in Windows 11
|
||||
|
||||
Requires Windows 11.
|
||||
|
||||
- `GPO-EnforceDoH.reg` enables the group policy to require DoH. However it
|
||||
didn't seem to work for me or it allowed me to set the DNS server to not
|
||||
use DoH.
|
||||
didn't seem to work for me or it allowed me to set the DNS server to not use
|
||||
DoH.
|
||||
|
||||
- `DohWellKnownServers` adds DoH support for multiple IPv4 & IPv6 addresses
|
||||
that Windows 11 isn't shipping by default, currently:
|
||||
@ -17,14 +19,18 @@ Requires Windows 11.
|
||||
- Mullvad
|
||||
- Mullvad Adblock
|
||||
- Quad9 ECS (Windows 11 defaults include Quad9 default)
|
||||
- TREX (actually points to Quad9 as per [their documentation](https://www.trex.fi/service/resolvers.html))
|
||||
- TREX (actually points to Quad9 as per
|
||||
[their documentation](https://www.trex.fi/service/resolvers.html))
|
||||
|
||||
## Configuration
|
||||
|
||||
Once Windows knows about the DoH servers (DohWellKnownServers.reg), DNS-over
|
||||
HTTPS can be enabled for:
|
||||
|
||||
- All networks: `Windows-I (Settings) -> Network & Internet -> Advanced network settings -> WLAN -> View additional properties -> DNS Server assignment -> Edit`
|
||||
- All networks:
|
||||
`Windows-I (Settings) -> Network & Internet -> Advanced network settings -> WLAN -> View additional properties -> DNS Server assignment -> Edit`
|
||||
- Same place for Ethernet etc.
|
||||
- Specific network: `Windows-I (Settings) -> Network & Internet -> WiFi -> Connected SSID -> DNS server assignment -> Edit`
|
||||
- Note: if the all networks one is configured, there is a warning about it not being used.
|
||||
- Specific network:
|
||||
`Windows-I (Settings) -> Network & Internet -> WiFi -> Connected SSID -> DNS server assignment -> Edit`
|
||||
- Note: if the all networks one is configured, there is a warning about it
|
||||
not being used.
|
||||
|
@ -1,3 +1,5 @@
|
||||
<!-- @format -->
|
||||
|
||||
This file is supposed to explain [Windows.reg](Windows.reg).
|
||||
|
||||
```
|
||||
@ -10,9 +12,10 @@ Windows Registry Editor Version 5.00
|
||||
- Make the file Windows Registry Editor script
|
||||
- Ask admins for password/PIN in UAC
|
||||
- 2 would ask for yes or no, 0 disable entirely (don't do that).
|
||||
- prompt standard users for username and password. 2021-12-19: I don't understand this or the line below.
|
||||
- The other option (1) doesn't even give them UAC prompt so you must
|
||||
always login as admin to do anything.
|
||||
- prompt standard users for username and password. 2021-12-19: I don't
|
||||
understand this or the line below.
|
||||
- The other option (1) doesn't even give them UAC prompt so you must always
|
||||
login as admin to do anything.
|
||||
|
||||
```
|
||||
"dontdisplaylastusername"=dword:00000000
|
||||
@ -39,8 +42,8 @@ Windows Registry Editor Version 5.00
|
||||
```
|
||||
|
||||
- Sets hardware clock to UTC time (doesn't affect system clock!)
|
||||
- qword for 64-bit, dword for 32-bit systems. The actual reg file has
|
||||
only qword as I haven't seen 32-bit Windowses lately.
|
||||
- qword for 64-bit, dword for 32-bit systems. The actual reg file has only
|
||||
qword as I haven't seen 32-bit Windowses lately.
|
||||
|
||||
```
|
||||
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters]
|
||||
|
@ -1,3 +1,5 @@
|
||||
/** @format */
|
||||
|
||||
// This file belongs to Firefox `default/pref` directory.
|
||||
// E.g. /usr/lib64/firefox/defaults/pref/ or ~/.local/firefox/defaults/pref/
|
||||
|
||||
|
@ -1,10 +1,15 @@
|
||||
/** @format */
|
||||
|
||||
// This file belongs to Firefox `default/pref` directory as `autoconfig.js`.
|
||||
// E.g. /usr/lib64/firefox/defaults/pref/autoconfig.js
|
||||
|
||||
// WARNING: lockPref() IS NOT ALLOWED HERE!
|
||||
|
||||
//pref("autoadmin.global_config_url","https://gitea.blesmrt.net/mikaela/shell-things/raw/branch/master/conf/firefox-forbidden-policies.js");
|
||||
pref("autoadmin.global_config_url","file:///home/aminda/public_html/autoconfig.js");
|
||||
pref(
|
||||
"autoadmin.global_config_url",
|
||||
"file:///home/aminda/public_html/autoconfig.js",
|
||||
);
|
||||
pref("general.config.obscure_value", 0);
|
||||
pref("autoadmin.refresh_interval", 120);
|
||||
pref("autoadmin.offline_failover", true);
|
||||
|
@ -1,3 +1,4 @@
|
||||
/** @format */
|
||||
|
||||
// ~/.{librewolf,var/app/io.gitlab.librewolf-community/.librewolf}/librewolf.overrides.cfg
|
||||
// The first line of this file is supposed to be empty.
|
||||
@ -11,7 +12,10 @@
|
||||
// NOTE! A lot is commented either for being a note, wrong, TODO, whatever, or most likely in my /etc/firefox/policies/policies.json
|
||||
|
||||
// Firefox autoconfig
|
||||
pref("autoadmin.global_config_url", "https://gitea.blesmrt.net/mikaela/shell-things/raw/branch/master/conf/librewolf.overrides.cfg");
|
||||
pref(
|
||||
"autoadmin.global_config_url",
|
||||
"https://gitea.blesmrt.net/mikaela/shell-things/raw/branch/master/conf/librewolf.overrides.cfg",
|
||||
);
|
||||
//pref("general.config.obscure_value", 0);
|
||||
pref("autoadmin.refresh_interval", 120);
|
||||
pref("autoadmin.offline_failover", true);
|
||||
@ -51,7 +55,10 @@ pref("privacy.fingerprintingProtection.pbmode", true);
|
||||
// usability and reveal the real platform (voting for Linux
|
||||
// existing in statistics). https://searchfox.org/mozilla-central/source/toolkit/components/resistfingerprinting/RFPTargets.inc
|
||||
// It's not like I have any uniqueness with `intl.accept_languages` below...
|
||||
pref("privacy.fingerprintingProtection.overrides", "+AllTargets,-KeyboardEvents,-SpeechSynthesis,-CSSPrefersColorScheme,-CSSPrefersReducedMotion,-NavigatorPlatform,-NavigatorUserAgent,-JSDateTimeUTC,-HttpUserAgent,-FontVisibilityRestrictGenerics,-FontVisibilityBaseSystem,-FontVisibilityLangPack");
|
||||
pref(
|
||||
"privacy.fingerprintingProtection.overrides",
|
||||
"+AllTargets,-KeyboardEvents,-SpeechSynthesis,-CSSPrefersColorScheme,-CSSPrefersReducedMotion,-NavigatorPlatform,-NavigatorUserAgent,-JSDateTimeUTC,-HttpUserAgent,-FontVisibilityRestrictGenerics,-FontVisibilityBaseSystem,-FontVisibilityLangPack",
|
||||
);
|
||||
|
||||
// :( but fingerprintability
|
||||
pref("javascript.use_us_english_locale", true);
|
||||
@ -147,8 +154,14 @@ pref("browser.cache.memory.enable", true);
|
||||
//pref("privacy.userContext.ui.enabled", true);
|
||||
|
||||
//pref("browser.contentblocking.category", "strict");
|
||||
pref("privacy.partition.always_partition_third_party_non_cookie_storage", true);
|
||||
pref("privacy.partition.always_partition_third_party_non_cookie_storage.exempt_sessionstorage", false);
|
||||
pref(
|
||||
"privacy.partition.always_partition_third_party_non_cookie_storage",
|
||||
true,
|
||||
);
|
||||
pref(
|
||||
"privacy.partition.always_partition_third_party_non_cookie_storage.exempt_sessionstorage",
|
||||
false,
|
||||
);
|
||||
|
||||
/** prevent media cache from being written to disk in pb, but increase max cache size to avoid playback issues */
|
||||
pref("browser.privatebrowsing.forceMediaMemoryCache", true);
|
||||
@ -189,7 +202,7 @@ pref("media.peerconnection.ice.proxy_only_if_behind_proxy", true); // force webr
|
||||
|
||||
/** [SECTION] DNS */
|
||||
//pref("network.dns.disablePrefetch", true); // disable dns prefetching
|
||||
pref("network.dns.skipTRR-when-parental-control-enabled", false); // Arkenfox user.js v117
|
||||
pref("network.dns.skipTRR-when-parental-control-enabled", false); // Arkenfox user.js v117
|
||||
|
||||
/** [SECTION] PREFETCHING AND SPECULATIVE CONNECTIONS
|
||||
* disable prefecthing for different things such as links, bookmarks and predictions.
|
||||
@ -271,7 +284,6 @@ pref("browser.urlbar.weather.featureGate", false);
|
||||
// these are from Arkenfox, I decided to put them here.
|
||||
pref("browser.download.start_downloads_in_tmp_dir", true); // Arkenfox user.js v118
|
||||
|
||||
|
||||
/**
|
||||
* the pref disables the whole feature and hide it from the ui
|
||||
* (as noted in https://bugzilla.mozilla.org/show_bug.cgi?id=1755057).
|
||||
@ -307,8 +319,6 @@ pref("browser.link.open_newwindow.restriction", 0);
|
||||
/** [SECTION] MOUSE */
|
||||
pref("browser.tabs.searchclipboardfor.middleclick", false); // prevent mouse middle click on new tab button to trigger searches or page loads
|
||||
|
||||
|
||||
|
||||
/** [CATEGORY] EXTENSIONS */
|
||||
|
||||
/** [SECTION] USER INSTALLED
|
||||
@ -363,14 +373,20 @@ pref("browser.shopping.experience2023.active", false);
|
||||
|
||||
/** [SECTION] OTHERS */
|
||||
pref("webchannel.allowObject.urlWhitelist", ""); // remove web channel whitelist
|
||||
pref("services.settings.server", "https://%.invalid") // set the remote settings URL (REMOTE_SETTINGS_SERVER_URL in the code)
|
||||
pref("services.settings.server", "https://%.invalid"); // set the remote settings URL (REMOTE_SETTINGS_SERVER_URL in the code)
|
||||
|
||||
/** [SECTION] NEW TAB PAGE
|
||||
* we want NTP to display nothing but the search bar without anything distracting.
|
||||
* the three prefs below are just for minimalism and they should be easy to revert for users.
|
||||
*/
|
||||
pref("browser.newtabpage.activity-stream.section.highlights.includeDownloads", false);
|
||||
pref("browser.newtabpage.activity-stream.section.highlights.includeVisited", false);
|
||||
pref(
|
||||
"browser.newtabpage.activity-stream.section.highlights.includeDownloads",
|
||||
false,
|
||||
);
|
||||
pref(
|
||||
"browser.newtabpage.activity-stream.section.highlights.includeVisited",
|
||||
false,
|
||||
);
|
||||
pref("browser.newtabpage.activity-stream.feeds.topsites", false);
|
||||
// hide stories and sponsored content from Firefox Home
|
||||
pref("browser.newtabpage.activity-stream.feeds.section.topstories", false);
|
||||
@ -380,7 +396,10 @@ pref("browser.newtabpage.activity-stream.showSponsoredTopSites", false);
|
||||
pref("browser.newtabpage.activity-stream.feeds.telemetry", false);
|
||||
pref("browser.newtabpage.activity-stream.telemetry", false);
|
||||
// hide stories UI in about:preferences#home, empty highlights list
|
||||
pref("browser.newtabpage.activity-stream.feeds.section.topstories.options", "{\"hidden\":true}");
|
||||
pref(
|
||||
"browser.newtabpage.activity-stream.feeds.section.topstories.options",
|
||||
'{"hidden":true}',
|
||||
);
|
||||
pref("browser.newtabpage.activity-stream.default.sites", "");
|
||||
|
||||
/** [SECTION] ABOUT
|
||||
@ -406,8 +425,14 @@ pref("browser.preferences.moreFromMozilla", false);
|
||||
/** [SECTION] RECOMMENDED
|
||||
* disable all "recommend as you browse" activity.
|
||||
*/
|
||||
pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features", false);
|
||||
pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons", false);
|
||||
pref(
|
||||
"browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features",
|
||||
false,
|
||||
);
|
||||
pref(
|
||||
"browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons",
|
||||
false,
|
||||
);
|
||||
|
||||
// Maybe Windows specific, but looks useful.
|
||||
pref("network.protocol-handler.external.ms-windows-store", false); // prevent links from launching windows store
|
||||
|
@ -1,16 +1,18 @@
|
||||
<!-- @format -->
|
||||
|
||||
My configs for [dnscrypt-proxy]
|
||||
|
||||
At the time of writing, hosts-mikaela.txt is intended for not having to
|
||||
remember or trust the DNS for all of the domains or the hypothetical
|
||||
scenario where I have no access to DNS, but for some reason having access
|
||||
to [Yggdrasil] and/or [Hyperboria] or just to answer the question, why to
|
||||
rely on centralized technology on decentralized web.
|
||||
remember or trust the DNS for all of the domains or the hypothetical scenario
|
||||
where I have no access to DNS, but for some reason having access to
|
||||
[Yggdrasil] and/or [Hyperboria] or just to answer the question, why to rely on
|
||||
centralized technology on decentralized web.
|
||||
|
||||
Mosts of the domains in hosts-mikaela.txt should also work without the file
|
||||
when mikaela.internal is replaced with mikaela.info, however relying on DNS,
|
||||
but that way you must trust DNSSEC, CloudFlare and wherever the CNAME
|
||||
points to who may not have DNSSEC. If you are using this file
|
||||
(you shouldn't), you are already trusting me.
|
||||
but that way you must trust DNSSEC, CloudFlare and wherever the CNAME points
|
||||
to who may not have DNSSEC. If you are using this file (you shouldn't), you
|
||||
are already trusting me.
|
||||
|
||||
[dnscrypt-proxy]: https://github.com/jedisct1/dnscrypt-proxy
|
||||
[hyperboria]: https://hyperboria.net/
|
||||
|
@ -1,3 +1,5 @@
|
||||
<!-- @format -->
|
||||
|
||||
# Firefox `policies.json`
|
||||
|
||||
- https://mozilla.github.io/policy-templates/
|
||||
@ -32,8 +34,8 @@ per whatever I am doing.
|
||||
## WARNING TO LIBREWOLF USERS
|
||||
|
||||
This file takes priority over
|
||||
`/usr/share/librewolf/distribution/policies.json` so don't apply this or
|
||||
a lot of LibreWolf specific customizations stops being in force.
|
||||
`/usr/share/librewolf/distribution/policies.json` so don't apply this or a lot
|
||||
of LibreWolf specific customizations stops being in force.
|
||||
|
||||
## General warning
|
||||
|
||||
|
@ -1,3 +1,5 @@
|
||||
<!-- @format -->
|
||||
|
||||
# Chromium policies
|
||||
|
||||
- https://chromeenterprise.google/policies/
|
||||
@ -200,8 +202,8 @@ disabling GTK/Qt themes.
|
||||
|
||||
## `brave-shields-disabled.json`
|
||||
|
||||
Allowlist for sites where I think Brave Shields may be breaking things. Similar is also in
|
||||
`aminda-extensions.json` for Privacy Badger.
|
||||
Allowlist for sites where I think Brave Shields may be breaking things.
|
||||
Similar is also in `aminda-extensions.json` for Privacy Badger.
|
||||
|
||||
## `disable-brave-ipfs.json`
|
||||
|
||||
@ -254,14 +256,15 @@ Simply forces DNS-over-HTTPS with DNS0.eu.
|
||||
|
||||
## `doh-mullvad-base.json`
|
||||
|
||||
Forces DNS-over-HTTPS with Mullvad Base, which features ad, malware & tracker blocking.
|
||||
Forces DNS-over-HTTPS with Mullvad Base, which features ad, malware & tracker
|
||||
blocking.
|
||||
|
||||
- https://mullvad.net/en/help/dns-over-https-and-dns-over-tls#specifications
|
||||
|
||||
## `doh-quad9-ecs.json`
|
||||
|
||||
Forces DNS over HTTPS with Quad9 ECS enabled threat-blocking server and also contains
|
||||
their alternative port.
|
||||
Forces DNS over HTTPS with Quad9 ECS enabled threat-blocking server and also
|
||||
contains their alternative port.
|
||||
|
||||
## `doh-quad9.json`
|
||||
|
||||
@ -270,15 +273,18 @@ their alternative port.
|
||||
|
||||
## `doh-unlocked-unset.json`
|
||||
|
||||
Allows configuring DoH even with managed policies present (unless another DoH rule is in force) since enabling any managed policy will otherwise gray out the option.
|
||||
Allows configuring DoH even with managed policies present (unless another DoH
|
||||
rule is in force) since enabling any managed policy will otherwise gray out
|
||||
the option.
|
||||
|
||||
If no DNS over HTTPS policy is used, this unlocks the setting. Enabling managed policies disable it by default.
|
||||
If no DNS over HTTPS policy is used, this unlocks the setting. Enabling
|
||||
managed policies disable it by default.
|
||||
|
||||
My other `doh-*.json` set this as well, because `secure` doesn't allow
|
||||
downgrade to system resolver and Chromium seems somewhat unreliable with it often reporting
|
||||
`DNS_PROBE_POSSIBLE` and while this occassionally disables ECH, it works and
|
||||
my system resolvers are encrypted. I hope they will implement ECH with system
|
||||
resolver soon to fix this.
|
||||
downgrade to system resolver and Chromium seems somewhat unreliable with it
|
||||
often reporting `DNS_PROBE_POSSIBLE` and while this occassionally disables
|
||||
ECH, it works and my system resolvers are encrypted. I hope they will
|
||||
implement ECH with system resolver soon to fix this.
|
||||
|
||||
## `edge-appsfavorites.json`
|
||||
|
||||
@ -298,7 +304,8 @@ Explicitly enables Chromecast support.
|
||||
|
||||
## `enable-labs.json`
|
||||
|
||||
Enables the beaker button "Experiments" for easier management than `about:flags`.
|
||||
Enables the beaker button "Experiments" for easier management than
|
||||
`about:flags`.
|
||||
|
||||
## `enable-passwordleakdetection.json`
|
||||
|
||||
@ -332,14 +339,14 @@ This file evolved to merge another one, so now it:
|
||||
|
||||
## `prefetch.json`
|
||||
|
||||
Enables prefetching. Will make sites very speedy, but decreases privacy and may
|
||||
conflict with uBlock Origin. However AdNauseam is already clicking those ads, so
|
||||
maybe it's not that big of an issue.
|
||||
Enables prefetching. Will make sites very speedy, but decreases privacy and
|
||||
may conflict with uBlock Origin. However AdNauseam is already clicking those
|
||||
ads, so maybe it's not that big of an issue.
|
||||
|
||||
## `profilemanager.json`
|
||||
|
||||
Forces the profile screen even with only one profile. I love the feature in Firefox
|
||||
and want to see it here too, now that I accidentally noticed it.
|
||||
Forces the profile screen even with only one profile. I love the feature in
|
||||
Firefox and want to see it here too, now that I accidentally noticed it.
|
||||
|
||||
## `README.md`
|
||||
|
||||
|
@ -1,3 +1,5 @@
|
||||
<!-- @format -->
|
||||
|
||||
# systemd-resolved additional config files
|
||||
|
||||
<!-- editorconfig-checker-disable -->
|
||||
@ -17,8 +19,8 @@
|
||||
|
||||
## Quickstart
|
||||
|
||||
This is also done by `../../systemd-resolv.conf-restore.bash` which takes
|
||||
into account more circumstances...
|
||||
This is also done by `../../systemd-resolv.conf-restore.bash` which takes into
|
||||
account more circumstances...
|
||||
|
||||
```bash
|
||||
sudo systemctl enable --now systemd-resolved.service
|
||||
@ -33,13 +35,13 @@ offer.
|
||||
|
||||
## Files explained
|
||||
|
||||
- `00-defaults.conf` - configuration that should be used everywhere.
|
||||
Enables DNSSEC (regardless of systemd-resolved not handling it properly),
|
||||
enables opportunistic DoT, caching and local DNS servers (because they
|
||||
should exist anyway as I don't trust systemd-resolved entirely. Anyway if
|
||||
there truly is no local resolver, systemd-resolved will detect that and act accordingly.)
|
||||
- To rephrase, this is to be used together with other files, especially
|
||||
some of those beginning with `10-dot-`.
|
||||
- `00-defaults.conf` - configuration that should be used everywhere. Enables
|
||||
DNSSEC (regardless of systemd-resolved not handling it properly), enables
|
||||
opportunistic DoT, caching and local DNS servers (because they should exist
|
||||
anyway as I don't trust systemd-resolved entirely. Anyway if there truly is
|
||||
no local resolver, systemd-resolved will detect that and act accordingly.)
|
||||
- To rephrase, this is to be used together with other files, especially some
|
||||
of those beginning with `10-dot-`.
|
||||
- `05-do53-dna-moi.conf` - DNS servers used by DNA and Moi (who is on DNA's
|
||||
network and owned by them)
|
||||
- `05-do53-elisa.conf` - DNS servers used by Elisa and apparently their
|
||||
@ -48,12 +50,12 @@ offer.
|
||||
At least one of these should be used in addition to `00-defaults.conf`
|
||||
- `98-local-resolver.conf` attempts to configure localhost resolver and
|
||||
disables unnecessary features for that scenario. The number 10 takes
|
||||
priority over 00 and 05 so if a DNSOverTLS=true is uncommented, it will
|
||||
also apply to the former ones that are unlikely to support it. When
|
||||
numbering the files, I didn't think I would be adding the plaintext DNS
|
||||
servers that I am unlikely to use whenever Unbound is available (and I
|
||||
currently have only one system that has systemd-resolved while not having
|
||||
Unbound and it seems to prefer DoT over my router anyway).
|
||||
priority over 00 and 05 so if a DNSOverTLS=true is uncommented, it will also
|
||||
apply to the former ones that are unlikely to support it. When numbering the
|
||||
files, I didn't think I would be adding the plaintext DNS servers that I am
|
||||
unlikely to use whenever Unbound is available (and I currently have only one
|
||||
system that has systemd-resolved while not having Unbound and it seems to
|
||||
prefer DoT over my router anyway).
|
||||
- `99-lan-resolver.conf.sample` when renamed would allow enabling resolvers on
|
||||
LAN assuming they are trusted. Note that if used together with
|
||||
`98-local-resolver.conf`, DNSSEC would be disabled.
|
||||
@ -61,30 +63,33 @@ offer.
|
||||
|
||||
## General commentary
|
||||
|
||||
- DNSOverTLS became supported in systemd v239, strict mode (true) in
|
||||
v243 (big improvements in v244).
|
||||
- DNSOverTLS became supported in systemd v239, strict mode (true) in v243 (big
|
||||
improvements in v244).
|
||||
- TODO: find out when SNI became supported, I have just spotted it in the
|
||||
fine manual in 2020-06-??.
|
||||
- Domains has to be `.~` for them to override DHCP. See https://www.internetsociety.org/blog/2018/12/dns-privacy-in-linux-systemd
|
||||
- Domains has to be `.~` for them to override DHCP. See
|
||||
https://www.internetsociety.org/blog/2018/12/dns-privacy-in-linux-systemd
|
||||
without which I wouldn't have got this right.
|
||||
- DNSSEC may not work if the system is down for a long time and not updated.
|
||||
Thus `allow-downgrade` may be better for non-tech people, even with the
|
||||
potential downgrade attack. There are also captive portals, affecting
|
||||
`DNSOverTLS`. Both take `true` or `false` or their own special option,
|
||||
for DNSSEC the `allow-downgrade`, for DNSOverTLS `opportunistic`.
|
||||
`DNSOverTLS`. Both take `true` or `false` or their own special option, for
|
||||
DNSSEC the `allow-downgrade`, for DNSOverTLS `opportunistic`.
|
||||
- Then again when was any system that outdated to not have working DNSSEC?
|
||||
- TODO: return to this configuration should that actually happen?
|
||||
- I am actually running Unbound simultaneously with `resolv.conf` pointing
|
||||
to both with `options rotate edns0 trust-ad` which might workaround that
|
||||
potential issue.
|
||||
- DNS server priority is the one they are specified in. The first working one
|
||||
will be used when it won't work anymore and then the next is used as long
|
||||
as it works and then it's back to the beginning.
|
||||
will be used when it won't work anymore and then the next is used as long as
|
||||
it works and then it's back to the beginning.
|
||||
- https://github.com/systemd/systemd/issues/16322#issuecomment-724143641
|
||||
|
||||
Other links I have found important and my files are based on:
|
||||
|
||||
- https://wiki.archlinux.org/index.php/Systemd-resolved
|
||||
- Also provides the serious issues systemd-resolved+DNSSEC issues, https://github.com/systemd/systemd/issues/10579 & https://github.com/systemd/systemd/issues/9867
|
||||
- Also provides the serious issues systemd-resolved+DNSSEC issues,
|
||||
https://github.com/systemd/systemd/issues/10579 &
|
||||
https://github.com/systemd/systemd/issues/9867
|
||||
- request for strict DoT: https://github.com/systemd/systemd/issues/10755
|
||||
- vulnerable to MITM: https://github.com/systemd/systemd/issues/9397
|
||||
|
@ -1,15 +1,19 @@
|
||||
<!-- @format -->
|
||||
|
||||
Systemd services. These are sorted by some kind of category into
|
||||
subdirectories. The sudirectories won't exist in the real
|
||||
`/etc/systemd/system` unless they end `.wants` or `.d` or something similar
|
||||
and I forget to update this README file if that happens.
|
||||
|
||||
- reflector.service is copied from https://wiki.archlinux.org/index.php/Reflector
|
||||
but uses https instead of http, because there is no reason I would want
|
||||
someone to see what I download.
|
||||
- reflector.service is copied from
|
||||
https://wiki.archlinux.org/index.php/Reflector but uses https instead of
|
||||
http, because there is no reason I would want someone to see what I
|
||||
download.
|
||||
|
||||
## Worth reading
|
||||
|
||||
- Waiting for network devices to have IP address (**I only use this for
|
||||
cables**) https://wiki.freedesktop.org/www/Software/systemd/NetworkTarget/#cutthecraphowdoimakenetwork.targetworkforme
|
||||
cables**)
|
||||
https://wiki.freedesktop.org/www/Software/systemd/NetworkTarget/#cutthecraphowdoimakenetwork.targetworkforme
|
||||
- `systemctl enable NetworkManager-wait-online.service`
|
||||
- `systemctl enable systemd-networkd-wait-online.service`
|
||||
|
@ -1,3 +1,5 @@
|
||||
<!-- @format -->
|
||||
|
||||
# Autostart files for graphical desktop environments
|
||||
|
||||
This mostly caters for my family.
|
||||
|
@ -1,3 +1,5 @@
|
||||
<!-- @format -->
|
||||
|
||||
# Custom app menu entries
|
||||
|
||||
These can be used for either `~/.local/share/applications` or
|
||||
@ -25,12 +27,12 @@ so graphical desktop environments started the apps on login.
|
||||
## `a-*.desktop`
|
||||
|
||||
These files are companions to my script repos `bash/usr-local-bin/*` belonging
|
||||
to `/usr/local/share/applications` and are named so to
|
||||
avoid masking package manager. They have clearly different names such as using
|
||||
all caps.
|
||||
to `/usr/local/share/applications` and are named so to avoid masking package
|
||||
manager. They have clearly different names such as using all caps.
|
||||
|
||||
Apparently one can also have subdirectories in `/usr/local/share/applications/`
|
||||
and `~/.local/share/applications/` making life easier.
|
||||
Apparently one can also have subdirectories in
|
||||
`/usr/local/share/applications/` and `~/.local/share/applications/` making
|
||||
life easier.
|
||||
|
||||
## Refreshing the menus
|
||||
|
||||
|
@ -1,3 +1,5 @@
|
||||
<!-- @format -->
|
||||
|
||||
iwd network configuration lives in this directory
|
||||
|
||||
See also `../../../etc/iwd/main.conf` especially in standalone iwd without
|
||||
@ -5,11 +7,11 @@ NetworkManager.
|
||||
|
||||
Notes:
|
||||
|
||||
- `git commit`ing the same SSID with different capitalisations breaks
|
||||
Windows and more common macOS setups due to their filesystems being
|
||||
- `git commit`ing the same SSID with different capitalisations breaks Windows
|
||||
and more common macOS setups due to their filesystems being
|
||||
case-insensitive.
|
||||
- `Settings.AutoConnect=true` is unnecessary as it defaults to true
|
||||
according to `man iwd.network`.
|
||||
- `Settings.AutoConnect=true` is unnecessary as it defaults to true according
|
||||
to `man iwd.network`.
|
||||
- `IPv6.Enabled=true` defauls to true being also unnecessary.
|
||||
- `private-home-sample.psk` has a comment on MAC address override and sends
|
||||
hostname with IPv4 DHCP. `private-cafe-sample.psk` always randomizes MAC
|
||||
|
Loading…
Reference in New Issue
Block a user