mirror of
https://gitea.blesmrt.net/mikaela/shell-things.git
synced 2024-11-25 12:49:26 +01:00
fix .prettierrc & run prettier again
This commit is contained in:
parent
3027652652
commit
447dcfdf08
@ -1,3 +1,5 @@
|
|||||||
|
# @format
|
||||||
|
|
||||||
# Based on https://pre-commit.com
|
# Based on https://pre-commit.com
|
||||||
image: python:alpine
|
image: python:alpine
|
||||||
gitlab-ci-pre-commit:
|
gitlab-ci-pre-commit:
|
||||||
|
@ -13,11 +13,11 @@
|
|||||||
{ "files": ".prettierrc", "options": { "parser": "json" } },
|
{ "files": ".prettierrc", "options": { "parser": "json" } },
|
||||||
{
|
{
|
||||||
"files": "conf/librewolf.overrides.cfg",
|
"files": "conf/librewolf.overrides.cfg",
|
||||||
"options": { "parser": ".js" }
|
"options": { "parser": "babel" }
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"files": "conf/autoconfig.js.online",
|
"files": "conf/autoconfig.js.online",
|
||||||
"options": { "parser": ".js" }
|
"options": { "parser": "babel" }
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
@ -1,3 +1,5 @@
|
|||||||
|
<!-- @format -->
|
||||||
|
|
||||||
Config files that I wish to have everywhere. You could probably call this
|
Config files that I wish to have everywhere. You could probably call this
|
||||||
repository as dotfiles, but historical reasons...
|
repository as dotfiles, but historical reasons...
|
||||||
|
|
||||||
|
@ -1,10 +1,12 @@
|
|||||||
|
<!-- @format -->
|
||||||
|
|
||||||
# DNS over HTTPS in Windows 11
|
# DNS over HTTPS in Windows 11
|
||||||
|
|
||||||
Requires Windows 11.
|
Requires Windows 11.
|
||||||
|
|
||||||
- `GPO-EnforceDoH.reg` enables the group policy to require DoH. However it
|
- `GPO-EnforceDoH.reg` enables the group policy to require DoH. However it
|
||||||
didn't seem to work for me or it allowed me to set the DNS server to not
|
didn't seem to work for me or it allowed me to set the DNS server to not use
|
||||||
use DoH.
|
DoH.
|
||||||
|
|
||||||
- `DohWellKnownServers` adds DoH support for multiple IPv4 & IPv6 addresses
|
- `DohWellKnownServers` adds DoH support for multiple IPv4 & IPv6 addresses
|
||||||
that Windows 11 isn't shipping by default, currently:
|
that Windows 11 isn't shipping by default, currently:
|
||||||
@ -17,14 +19,18 @@ Requires Windows 11.
|
|||||||
- Mullvad
|
- Mullvad
|
||||||
- Mullvad Adblock
|
- Mullvad Adblock
|
||||||
- Quad9 ECS (Windows 11 defaults include Quad9 default)
|
- Quad9 ECS (Windows 11 defaults include Quad9 default)
|
||||||
- TREX (actually points to Quad9 as per [their documentation](https://www.trex.fi/service/resolvers.html))
|
- TREX (actually points to Quad9 as per
|
||||||
|
[their documentation](https://www.trex.fi/service/resolvers.html))
|
||||||
|
|
||||||
## Configuration
|
## Configuration
|
||||||
|
|
||||||
Once Windows knows about the DoH servers (DohWellKnownServers.reg), DNS-over
|
Once Windows knows about the DoH servers (DohWellKnownServers.reg), DNS-over
|
||||||
HTTPS can be enabled for:
|
HTTPS can be enabled for:
|
||||||
|
|
||||||
- All networks: `Windows-I (Settings) -> Network & Internet -> Advanced network settings -> WLAN -> View additional properties -> DNS Server assignment -> Edit`
|
- All networks:
|
||||||
|
`Windows-I (Settings) -> Network & Internet -> Advanced network settings -> WLAN -> View additional properties -> DNS Server assignment -> Edit`
|
||||||
- Same place for Ethernet etc.
|
- Same place for Ethernet etc.
|
||||||
- Specific network: `Windows-I (Settings) -> Network & Internet -> WiFi -> Connected SSID -> DNS server assignment -> Edit`
|
- Specific network:
|
||||||
- Note: if the all networks one is configured, there is a warning about it not being used.
|
`Windows-I (Settings) -> Network & Internet -> WiFi -> Connected SSID -> DNS server assignment -> Edit`
|
||||||
|
- Note: if the all networks one is configured, there is a warning about it
|
||||||
|
not being used.
|
||||||
|
@ -1,3 +1,5 @@
|
|||||||
|
<!-- @format -->
|
||||||
|
|
||||||
This file is supposed to explain [Windows.reg](Windows.reg).
|
This file is supposed to explain [Windows.reg](Windows.reg).
|
||||||
|
|
||||||
```
|
```
|
||||||
@ -10,9 +12,10 @@ Windows Registry Editor Version 5.00
|
|||||||
- Make the file Windows Registry Editor script
|
- Make the file Windows Registry Editor script
|
||||||
- Ask admins for password/PIN in UAC
|
- Ask admins for password/PIN in UAC
|
||||||
- 2 would ask for yes or no, 0 disable entirely (don't do that).
|
- 2 would ask for yes or no, 0 disable entirely (don't do that).
|
||||||
- prompt standard users for username and password. 2021-12-19: I don't understand this or the line below.
|
- prompt standard users for username and password. 2021-12-19: I don't
|
||||||
- The other option (1) doesn't even give them UAC prompt so you must
|
understand this or the line below.
|
||||||
always login as admin to do anything.
|
- The other option (1) doesn't even give them UAC prompt so you must always
|
||||||
|
login as admin to do anything.
|
||||||
|
|
||||||
```
|
```
|
||||||
"dontdisplaylastusername"=dword:00000000
|
"dontdisplaylastusername"=dword:00000000
|
||||||
@ -39,8 +42,8 @@ Windows Registry Editor Version 5.00
|
|||||||
```
|
```
|
||||||
|
|
||||||
- Sets hardware clock to UTC time (doesn't affect system clock!)
|
- Sets hardware clock to UTC time (doesn't affect system clock!)
|
||||||
- qword for 64-bit, dword for 32-bit systems. The actual reg file has
|
- qword for 64-bit, dword for 32-bit systems. The actual reg file has only
|
||||||
only qword as I haven't seen 32-bit Windowses lately.
|
qword as I haven't seen 32-bit Windowses lately.
|
||||||
|
|
||||||
```
|
```
|
||||||
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters]
|
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters]
|
||||||
|
@ -1,3 +1,5 @@
|
|||||||
|
/** @format */
|
||||||
|
|
||||||
// This file belongs to Firefox `default/pref` directory.
|
// This file belongs to Firefox `default/pref` directory.
|
||||||
// E.g. /usr/lib64/firefox/defaults/pref/ or ~/.local/firefox/defaults/pref/
|
// E.g. /usr/lib64/firefox/defaults/pref/ or ~/.local/firefox/defaults/pref/
|
||||||
|
|
||||||
|
@ -1,10 +1,15 @@
|
|||||||
|
/** @format */
|
||||||
|
|
||||||
// This file belongs to Firefox `default/pref` directory as `autoconfig.js`.
|
// This file belongs to Firefox `default/pref` directory as `autoconfig.js`.
|
||||||
// E.g. /usr/lib64/firefox/defaults/pref/autoconfig.js
|
// E.g. /usr/lib64/firefox/defaults/pref/autoconfig.js
|
||||||
|
|
||||||
// WARNING: lockPref() IS NOT ALLOWED HERE!
|
// WARNING: lockPref() IS NOT ALLOWED HERE!
|
||||||
|
|
||||||
//pref("autoadmin.global_config_url","https://gitea.blesmrt.net/mikaela/shell-things/raw/branch/master/conf/firefox-forbidden-policies.js");
|
//pref("autoadmin.global_config_url","https://gitea.blesmrt.net/mikaela/shell-things/raw/branch/master/conf/firefox-forbidden-policies.js");
|
||||||
pref("autoadmin.global_config_url","file:///home/aminda/public_html/autoconfig.js");
|
pref(
|
||||||
|
"autoadmin.global_config_url",
|
||||||
|
"file:///home/aminda/public_html/autoconfig.js",
|
||||||
|
);
|
||||||
pref("general.config.obscure_value", 0);
|
pref("general.config.obscure_value", 0);
|
||||||
pref("autoadmin.refresh_interval", 120);
|
pref("autoadmin.refresh_interval", 120);
|
||||||
pref("autoadmin.offline_failover", true);
|
pref("autoadmin.offline_failover", true);
|
||||||
|
@ -1,3 +1,4 @@
|
|||||||
|
/** @format */
|
||||||
|
|
||||||
// ~/.{librewolf,var/app/io.gitlab.librewolf-community/.librewolf}/librewolf.overrides.cfg
|
// ~/.{librewolf,var/app/io.gitlab.librewolf-community/.librewolf}/librewolf.overrides.cfg
|
||||||
// The first line of this file is supposed to be empty.
|
// The first line of this file is supposed to be empty.
|
||||||
@ -11,7 +12,10 @@
|
|||||||
// NOTE! A lot is commented either for being a note, wrong, TODO, whatever, or most likely in my /etc/firefox/policies/policies.json
|
// NOTE! A lot is commented either for being a note, wrong, TODO, whatever, or most likely in my /etc/firefox/policies/policies.json
|
||||||
|
|
||||||
// Firefox autoconfig
|
// Firefox autoconfig
|
||||||
pref("autoadmin.global_config_url", "https://gitea.blesmrt.net/mikaela/shell-things/raw/branch/master/conf/librewolf.overrides.cfg");
|
pref(
|
||||||
|
"autoadmin.global_config_url",
|
||||||
|
"https://gitea.blesmrt.net/mikaela/shell-things/raw/branch/master/conf/librewolf.overrides.cfg",
|
||||||
|
);
|
||||||
//pref("general.config.obscure_value", 0);
|
//pref("general.config.obscure_value", 0);
|
||||||
pref("autoadmin.refresh_interval", 120);
|
pref("autoadmin.refresh_interval", 120);
|
||||||
pref("autoadmin.offline_failover", true);
|
pref("autoadmin.offline_failover", true);
|
||||||
@ -51,7 +55,10 @@ pref("privacy.fingerprintingProtection.pbmode", true);
|
|||||||
// usability and reveal the real platform (voting for Linux
|
// usability and reveal the real platform (voting for Linux
|
||||||
// existing in statistics). https://searchfox.org/mozilla-central/source/toolkit/components/resistfingerprinting/RFPTargets.inc
|
// existing in statistics). https://searchfox.org/mozilla-central/source/toolkit/components/resistfingerprinting/RFPTargets.inc
|
||||||
// It's not like I have any uniqueness with `intl.accept_languages` below...
|
// It's not like I have any uniqueness with `intl.accept_languages` below...
|
||||||
pref("privacy.fingerprintingProtection.overrides", "+AllTargets,-KeyboardEvents,-SpeechSynthesis,-CSSPrefersColorScheme,-CSSPrefersReducedMotion,-NavigatorPlatform,-NavigatorUserAgent,-JSDateTimeUTC,-HttpUserAgent,-FontVisibilityRestrictGenerics,-FontVisibilityBaseSystem,-FontVisibilityLangPack");
|
pref(
|
||||||
|
"privacy.fingerprintingProtection.overrides",
|
||||||
|
"+AllTargets,-KeyboardEvents,-SpeechSynthesis,-CSSPrefersColorScheme,-CSSPrefersReducedMotion,-NavigatorPlatform,-NavigatorUserAgent,-JSDateTimeUTC,-HttpUserAgent,-FontVisibilityRestrictGenerics,-FontVisibilityBaseSystem,-FontVisibilityLangPack",
|
||||||
|
);
|
||||||
|
|
||||||
// :( but fingerprintability
|
// :( but fingerprintability
|
||||||
pref("javascript.use_us_english_locale", true);
|
pref("javascript.use_us_english_locale", true);
|
||||||
@ -147,8 +154,14 @@ pref("browser.cache.memory.enable", true);
|
|||||||
//pref("privacy.userContext.ui.enabled", true);
|
//pref("privacy.userContext.ui.enabled", true);
|
||||||
|
|
||||||
//pref("browser.contentblocking.category", "strict");
|
//pref("browser.contentblocking.category", "strict");
|
||||||
pref("privacy.partition.always_partition_third_party_non_cookie_storage", true);
|
pref(
|
||||||
pref("privacy.partition.always_partition_third_party_non_cookie_storage.exempt_sessionstorage", false);
|
"privacy.partition.always_partition_third_party_non_cookie_storage",
|
||||||
|
true,
|
||||||
|
);
|
||||||
|
pref(
|
||||||
|
"privacy.partition.always_partition_third_party_non_cookie_storage.exempt_sessionstorage",
|
||||||
|
false,
|
||||||
|
);
|
||||||
|
|
||||||
/** prevent media cache from being written to disk in pb, but increase max cache size to avoid playback issues */
|
/** prevent media cache from being written to disk in pb, but increase max cache size to avoid playback issues */
|
||||||
pref("browser.privatebrowsing.forceMediaMemoryCache", true);
|
pref("browser.privatebrowsing.forceMediaMemoryCache", true);
|
||||||
@ -271,7 +284,6 @@ pref("browser.urlbar.weather.featureGate", false);
|
|||||||
// these are from Arkenfox, I decided to put them here.
|
// these are from Arkenfox, I decided to put them here.
|
||||||
pref("browser.download.start_downloads_in_tmp_dir", true); // Arkenfox user.js v118
|
pref("browser.download.start_downloads_in_tmp_dir", true); // Arkenfox user.js v118
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* the pref disables the whole feature and hide it from the ui
|
* the pref disables the whole feature and hide it from the ui
|
||||||
* (as noted in https://bugzilla.mozilla.org/show_bug.cgi?id=1755057).
|
* (as noted in https://bugzilla.mozilla.org/show_bug.cgi?id=1755057).
|
||||||
@ -307,8 +319,6 @@ pref("browser.link.open_newwindow.restriction", 0);
|
|||||||
/** [SECTION] MOUSE */
|
/** [SECTION] MOUSE */
|
||||||
pref("browser.tabs.searchclipboardfor.middleclick", false); // prevent mouse middle click on new tab button to trigger searches or page loads
|
pref("browser.tabs.searchclipboardfor.middleclick", false); // prevent mouse middle click on new tab button to trigger searches or page loads
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
/** [CATEGORY] EXTENSIONS */
|
/** [CATEGORY] EXTENSIONS */
|
||||||
|
|
||||||
/** [SECTION] USER INSTALLED
|
/** [SECTION] USER INSTALLED
|
||||||
@ -363,14 +373,20 @@ pref("browser.shopping.experience2023.active", false);
|
|||||||
|
|
||||||
/** [SECTION] OTHERS */
|
/** [SECTION] OTHERS */
|
||||||
pref("webchannel.allowObject.urlWhitelist", ""); // remove web channel whitelist
|
pref("webchannel.allowObject.urlWhitelist", ""); // remove web channel whitelist
|
||||||
pref("services.settings.server", "https://%.invalid") // set the remote settings URL (REMOTE_SETTINGS_SERVER_URL in the code)
|
pref("services.settings.server", "https://%.invalid"); // set the remote settings URL (REMOTE_SETTINGS_SERVER_URL in the code)
|
||||||
|
|
||||||
/** [SECTION] NEW TAB PAGE
|
/** [SECTION] NEW TAB PAGE
|
||||||
* we want NTP to display nothing but the search bar without anything distracting.
|
* we want NTP to display nothing but the search bar without anything distracting.
|
||||||
* the three prefs below are just for minimalism and they should be easy to revert for users.
|
* the three prefs below are just for minimalism and they should be easy to revert for users.
|
||||||
*/
|
*/
|
||||||
pref("browser.newtabpage.activity-stream.section.highlights.includeDownloads", false);
|
pref(
|
||||||
pref("browser.newtabpage.activity-stream.section.highlights.includeVisited", false);
|
"browser.newtabpage.activity-stream.section.highlights.includeDownloads",
|
||||||
|
false,
|
||||||
|
);
|
||||||
|
pref(
|
||||||
|
"browser.newtabpage.activity-stream.section.highlights.includeVisited",
|
||||||
|
false,
|
||||||
|
);
|
||||||
pref("browser.newtabpage.activity-stream.feeds.topsites", false);
|
pref("browser.newtabpage.activity-stream.feeds.topsites", false);
|
||||||
// hide stories and sponsored content from Firefox Home
|
// hide stories and sponsored content from Firefox Home
|
||||||
pref("browser.newtabpage.activity-stream.feeds.section.topstories", false);
|
pref("browser.newtabpage.activity-stream.feeds.section.topstories", false);
|
||||||
@ -380,7 +396,10 @@ pref("browser.newtabpage.activity-stream.showSponsoredTopSites", false);
|
|||||||
pref("browser.newtabpage.activity-stream.feeds.telemetry", false);
|
pref("browser.newtabpage.activity-stream.feeds.telemetry", false);
|
||||||
pref("browser.newtabpage.activity-stream.telemetry", false);
|
pref("browser.newtabpage.activity-stream.telemetry", false);
|
||||||
// hide stories UI in about:preferences#home, empty highlights list
|
// hide stories UI in about:preferences#home, empty highlights list
|
||||||
pref("browser.newtabpage.activity-stream.feeds.section.topstories.options", "{\"hidden\":true}");
|
pref(
|
||||||
|
"browser.newtabpage.activity-stream.feeds.section.topstories.options",
|
||||||
|
'{"hidden":true}',
|
||||||
|
);
|
||||||
pref("browser.newtabpage.activity-stream.default.sites", "");
|
pref("browser.newtabpage.activity-stream.default.sites", "");
|
||||||
|
|
||||||
/** [SECTION] ABOUT
|
/** [SECTION] ABOUT
|
||||||
@ -406,8 +425,14 @@ pref("browser.preferences.moreFromMozilla", false);
|
|||||||
/** [SECTION] RECOMMENDED
|
/** [SECTION] RECOMMENDED
|
||||||
* disable all "recommend as you browse" activity.
|
* disable all "recommend as you browse" activity.
|
||||||
*/
|
*/
|
||||||
pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features", false);
|
pref(
|
||||||
pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons", false);
|
"browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features",
|
||||||
|
false,
|
||||||
|
);
|
||||||
|
pref(
|
||||||
|
"browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons",
|
||||||
|
false,
|
||||||
|
);
|
||||||
|
|
||||||
// Maybe Windows specific, but looks useful.
|
// Maybe Windows specific, but looks useful.
|
||||||
pref("network.protocol-handler.external.ms-windows-store", false); // prevent links from launching windows store
|
pref("network.protocol-handler.external.ms-windows-store", false); // prevent links from launching windows store
|
||||||
|
@ -1,16 +1,18 @@
|
|||||||
|
<!-- @format -->
|
||||||
|
|
||||||
My configs for [dnscrypt-proxy]
|
My configs for [dnscrypt-proxy]
|
||||||
|
|
||||||
At the time of writing, hosts-mikaela.txt is intended for not having to
|
At the time of writing, hosts-mikaela.txt is intended for not having to
|
||||||
remember or trust the DNS for all of the domains or the hypothetical
|
remember or trust the DNS for all of the domains or the hypothetical scenario
|
||||||
scenario where I have no access to DNS, but for some reason having access
|
where I have no access to DNS, but for some reason having access to
|
||||||
to [Yggdrasil] and/or [Hyperboria] or just to answer the question, why to
|
[Yggdrasil] and/or [Hyperboria] or just to answer the question, why to rely on
|
||||||
rely on centralized technology on decentralized web.
|
centralized technology on decentralized web.
|
||||||
|
|
||||||
Mosts of the domains in hosts-mikaela.txt should also work without the file
|
Mosts of the domains in hosts-mikaela.txt should also work without the file
|
||||||
when mikaela.internal is replaced with mikaela.info, however relying on DNS,
|
when mikaela.internal is replaced with mikaela.info, however relying on DNS,
|
||||||
but that way you must trust DNSSEC, CloudFlare and wherever the CNAME
|
but that way you must trust DNSSEC, CloudFlare and wherever the CNAME points
|
||||||
points to who may not have DNSSEC. If you are using this file
|
to who may not have DNSSEC. If you are using this file (you shouldn't), you
|
||||||
(you shouldn't), you are already trusting me.
|
are already trusting me.
|
||||||
|
|
||||||
[dnscrypt-proxy]: https://github.com/jedisct1/dnscrypt-proxy
|
[dnscrypt-proxy]: https://github.com/jedisct1/dnscrypt-proxy
|
||||||
[hyperboria]: https://hyperboria.net/
|
[hyperboria]: https://hyperboria.net/
|
||||||
|
@ -1,3 +1,5 @@
|
|||||||
|
<!-- @format -->
|
||||||
|
|
||||||
# Firefox `policies.json`
|
# Firefox `policies.json`
|
||||||
|
|
||||||
- https://mozilla.github.io/policy-templates/
|
- https://mozilla.github.io/policy-templates/
|
||||||
@ -32,8 +34,8 @@ per whatever I am doing.
|
|||||||
## WARNING TO LIBREWOLF USERS
|
## WARNING TO LIBREWOLF USERS
|
||||||
|
|
||||||
This file takes priority over
|
This file takes priority over
|
||||||
`/usr/share/librewolf/distribution/policies.json` so don't apply this or
|
`/usr/share/librewolf/distribution/policies.json` so don't apply this or a lot
|
||||||
a lot of LibreWolf specific customizations stops being in force.
|
of LibreWolf specific customizations stops being in force.
|
||||||
|
|
||||||
## General warning
|
## General warning
|
||||||
|
|
||||||
|
@ -1,3 +1,5 @@
|
|||||||
|
<!-- @format -->
|
||||||
|
|
||||||
# Chromium policies
|
# Chromium policies
|
||||||
|
|
||||||
- https://chromeenterprise.google/policies/
|
- https://chromeenterprise.google/policies/
|
||||||
@ -200,8 +202,8 @@ disabling GTK/Qt themes.
|
|||||||
|
|
||||||
## `brave-shields-disabled.json`
|
## `brave-shields-disabled.json`
|
||||||
|
|
||||||
Allowlist for sites where I think Brave Shields may be breaking things. Similar is also in
|
Allowlist for sites where I think Brave Shields may be breaking things.
|
||||||
`aminda-extensions.json` for Privacy Badger.
|
Similar is also in `aminda-extensions.json` for Privacy Badger.
|
||||||
|
|
||||||
## `disable-brave-ipfs.json`
|
## `disable-brave-ipfs.json`
|
||||||
|
|
||||||
@ -254,14 +256,15 @@ Simply forces DNS-over-HTTPS with DNS0.eu.
|
|||||||
|
|
||||||
## `doh-mullvad-base.json`
|
## `doh-mullvad-base.json`
|
||||||
|
|
||||||
Forces DNS-over-HTTPS with Mullvad Base, which features ad, malware & tracker blocking.
|
Forces DNS-over-HTTPS with Mullvad Base, which features ad, malware & tracker
|
||||||
|
blocking.
|
||||||
|
|
||||||
- https://mullvad.net/en/help/dns-over-https-and-dns-over-tls#specifications
|
- https://mullvad.net/en/help/dns-over-https-and-dns-over-tls#specifications
|
||||||
|
|
||||||
## `doh-quad9-ecs.json`
|
## `doh-quad9-ecs.json`
|
||||||
|
|
||||||
Forces DNS over HTTPS with Quad9 ECS enabled threat-blocking server and also contains
|
Forces DNS over HTTPS with Quad9 ECS enabled threat-blocking server and also
|
||||||
their alternative port.
|
contains their alternative port.
|
||||||
|
|
||||||
## `doh-quad9.json`
|
## `doh-quad9.json`
|
||||||
|
|
||||||
@ -270,15 +273,18 @@ their alternative port.
|
|||||||
|
|
||||||
## `doh-unlocked-unset.json`
|
## `doh-unlocked-unset.json`
|
||||||
|
|
||||||
Allows configuring DoH even with managed policies present (unless another DoH rule is in force) since enabling any managed policy will otherwise gray out the option.
|
Allows configuring DoH even with managed policies present (unless another DoH
|
||||||
|
rule is in force) since enabling any managed policy will otherwise gray out
|
||||||
|
the option.
|
||||||
|
|
||||||
If no DNS over HTTPS policy is used, this unlocks the setting. Enabling managed policies disable it by default.
|
If no DNS over HTTPS policy is used, this unlocks the setting. Enabling
|
||||||
|
managed policies disable it by default.
|
||||||
|
|
||||||
My other `doh-*.json` set this as well, because `secure` doesn't allow
|
My other `doh-*.json` set this as well, because `secure` doesn't allow
|
||||||
downgrade to system resolver and Chromium seems somewhat unreliable with it often reporting
|
downgrade to system resolver and Chromium seems somewhat unreliable with it
|
||||||
`DNS_PROBE_POSSIBLE` and while this occassionally disables ECH, it works and
|
often reporting `DNS_PROBE_POSSIBLE` and while this occassionally disables
|
||||||
my system resolvers are encrypted. I hope they will implement ECH with system
|
ECH, it works and my system resolvers are encrypted. I hope they will
|
||||||
resolver soon to fix this.
|
implement ECH with system resolver soon to fix this.
|
||||||
|
|
||||||
## `edge-appsfavorites.json`
|
## `edge-appsfavorites.json`
|
||||||
|
|
||||||
@ -298,7 +304,8 @@ Explicitly enables Chromecast support.
|
|||||||
|
|
||||||
## `enable-labs.json`
|
## `enable-labs.json`
|
||||||
|
|
||||||
Enables the beaker button "Experiments" for easier management than `about:flags`.
|
Enables the beaker button "Experiments" for easier management than
|
||||||
|
`about:flags`.
|
||||||
|
|
||||||
## `enable-passwordleakdetection.json`
|
## `enable-passwordleakdetection.json`
|
||||||
|
|
||||||
@ -332,14 +339,14 @@ This file evolved to merge another one, so now it:
|
|||||||
|
|
||||||
## `prefetch.json`
|
## `prefetch.json`
|
||||||
|
|
||||||
Enables prefetching. Will make sites very speedy, but decreases privacy and may
|
Enables prefetching. Will make sites very speedy, but decreases privacy and
|
||||||
conflict with uBlock Origin. However AdNauseam is already clicking those ads, so
|
may conflict with uBlock Origin. However AdNauseam is already clicking those
|
||||||
maybe it's not that big of an issue.
|
ads, so maybe it's not that big of an issue.
|
||||||
|
|
||||||
## `profilemanager.json`
|
## `profilemanager.json`
|
||||||
|
|
||||||
Forces the profile screen even with only one profile. I love the feature in Firefox
|
Forces the profile screen even with only one profile. I love the feature in
|
||||||
and want to see it here too, now that I accidentally noticed it.
|
Firefox and want to see it here too, now that I accidentally noticed it.
|
||||||
|
|
||||||
## `README.md`
|
## `README.md`
|
||||||
|
|
||||||
|
@ -1,3 +1,5 @@
|
|||||||
|
<!-- @format -->
|
||||||
|
|
||||||
# systemd-resolved additional config files
|
# systemd-resolved additional config files
|
||||||
|
|
||||||
<!-- editorconfig-checker-disable -->
|
<!-- editorconfig-checker-disable -->
|
||||||
@ -17,8 +19,8 @@
|
|||||||
|
|
||||||
## Quickstart
|
## Quickstart
|
||||||
|
|
||||||
This is also done by `../../systemd-resolv.conf-restore.bash` which takes
|
This is also done by `../../systemd-resolv.conf-restore.bash` which takes into
|
||||||
into account more circumstances...
|
account more circumstances...
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
sudo systemctl enable --now systemd-resolved.service
|
sudo systemctl enable --now systemd-resolved.service
|
||||||
@ -33,13 +35,13 @@ offer.
|
|||||||
|
|
||||||
## Files explained
|
## Files explained
|
||||||
|
|
||||||
- `00-defaults.conf` - configuration that should be used everywhere.
|
- `00-defaults.conf` - configuration that should be used everywhere. Enables
|
||||||
Enables DNSSEC (regardless of systemd-resolved not handling it properly),
|
DNSSEC (regardless of systemd-resolved not handling it properly), enables
|
||||||
enables opportunistic DoT, caching and local DNS servers (because they
|
opportunistic DoT, caching and local DNS servers (because they should exist
|
||||||
should exist anyway as I don't trust systemd-resolved entirely. Anyway if
|
anyway as I don't trust systemd-resolved entirely. Anyway if there truly is
|
||||||
there truly is no local resolver, systemd-resolved will detect that and act accordingly.)
|
no local resolver, systemd-resolved will detect that and act accordingly.)
|
||||||
- To rephrase, this is to be used together with other files, especially
|
- To rephrase, this is to be used together with other files, especially some
|
||||||
some of those beginning with `10-dot-`.
|
of those beginning with `10-dot-`.
|
||||||
- `05-do53-dna-moi.conf` - DNS servers used by DNA and Moi (who is on DNA's
|
- `05-do53-dna-moi.conf` - DNS servers used by DNA and Moi (who is on DNA's
|
||||||
network and owned by them)
|
network and owned by them)
|
||||||
- `05-do53-elisa.conf` - DNS servers used by Elisa and apparently their
|
- `05-do53-elisa.conf` - DNS servers used by Elisa and apparently their
|
||||||
@ -48,12 +50,12 @@ offer.
|
|||||||
At least one of these should be used in addition to `00-defaults.conf`
|
At least one of these should be used in addition to `00-defaults.conf`
|
||||||
- `98-local-resolver.conf` attempts to configure localhost resolver and
|
- `98-local-resolver.conf` attempts to configure localhost resolver and
|
||||||
disables unnecessary features for that scenario. The number 10 takes
|
disables unnecessary features for that scenario. The number 10 takes
|
||||||
priority over 00 and 05 so if a DNSOverTLS=true is uncommented, it will
|
priority over 00 and 05 so if a DNSOverTLS=true is uncommented, it will also
|
||||||
also apply to the former ones that are unlikely to support it. When
|
apply to the former ones that are unlikely to support it. When numbering the
|
||||||
numbering the files, I didn't think I would be adding the plaintext DNS
|
files, I didn't think I would be adding the plaintext DNS servers that I am
|
||||||
servers that I am unlikely to use whenever Unbound is available (and I
|
unlikely to use whenever Unbound is available (and I currently have only one
|
||||||
currently have only one system that has systemd-resolved while not having
|
system that has systemd-resolved while not having Unbound and it seems to
|
||||||
Unbound and it seems to prefer DoT over my router anyway).
|
prefer DoT over my router anyway).
|
||||||
- `99-lan-resolver.conf.sample` when renamed would allow enabling resolvers on
|
- `99-lan-resolver.conf.sample` when renamed would allow enabling resolvers on
|
||||||
LAN assuming they are trusted. Note that if used together with
|
LAN assuming they are trusted. Note that if used together with
|
||||||
`98-local-resolver.conf`, DNSSEC would be disabled.
|
`98-local-resolver.conf`, DNSSEC would be disabled.
|
||||||
@ -61,30 +63,33 @@ offer.
|
|||||||
|
|
||||||
## General commentary
|
## General commentary
|
||||||
|
|
||||||
- DNSOverTLS became supported in systemd v239, strict mode (true) in
|
- DNSOverTLS became supported in systemd v239, strict mode (true) in v243 (big
|
||||||
v243 (big improvements in v244).
|
improvements in v244).
|
||||||
- TODO: find out when SNI became supported, I have just spotted it in the
|
- TODO: find out when SNI became supported, I have just spotted it in the
|
||||||
fine manual in 2020-06-??.
|
fine manual in 2020-06-??.
|
||||||
- Domains has to be `.~` for them to override DHCP. See https://www.internetsociety.org/blog/2018/12/dns-privacy-in-linux-systemd
|
- Domains has to be `.~` for them to override DHCP. See
|
||||||
|
https://www.internetsociety.org/blog/2018/12/dns-privacy-in-linux-systemd
|
||||||
without which I wouldn't have got this right.
|
without which I wouldn't have got this right.
|
||||||
- DNSSEC may not work if the system is down for a long time and not updated.
|
- DNSSEC may not work if the system is down for a long time and not updated.
|
||||||
Thus `allow-downgrade` may be better for non-tech people, even with the
|
Thus `allow-downgrade` may be better for non-tech people, even with the
|
||||||
potential downgrade attack. There are also captive portals, affecting
|
potential downgrade attack. There are also captive portals, affecting
|
||||||
`DNSOverTLS`. Both take `true` or `false` or their own special option,
|
`DNSOverTLS`. Both take `true` or `false` or their own special option, for
|
||||||
for DNSSEC the `allow-downgrade`, for DNSOverTLS `opportunistic`.
|
DNSSEC the `allow-downgrade`, for DNSOverTLS `opportunistic`.
|
||||||
- Then again when was any system that outdated to not have working DNSSEC?
|
- Then again when was any system that outdated to not have working DNSSEC?
|
||||||
- TODO: return to this configuration should that actually happen?
|
- TODO: return to this configuration should that actually happen?
|
||||||
- I am actually running Unbound simultaneously with `resolv.conf` pointing
|
- I am actually running Unbound simultaneously with `resolv.conf` pointing
|
||||||
to both with `options rotate edns0 trust-ad` which might workaround that
|
to both with `options rotate edns0 trust-ad` which might workaround that
|
||||||
potential issue.
|
potential issue.
|
||||||
- DNS server priority is the one they are specified in. The first working one
|
- DNS server priority is the one they are specified in. The first working one
|
||||||
will be used when it won't work anymore and then the next is used as long
|
will be used when it won't work anymore and then the next is used as long as
|
||||||
as it works and then it's back to the beginning.
|
it works and then it's back to the beginning.
|
||||||
- https://github.com/systemd/systemd/issues/16322#issuecomment-724143641
|
- https://github.com/systemd/systemd/issues/16322#issuecomment-724143641
|
||||||
|
|
||||||
Other links I have found important and my files are based on:
|
Other links I have found important and my files are based on:
|
||||||
|
|
||||||
- https://wiki.archlinux.org/index.php/Systemd-resolved
|
- https://wiki.archlinux.org/index.php/Systemd-resolved
|
||||||
- Also provides the serious issues systemd-resolved+DNSSEC issues, https://github.com/systemd/systemd/issues/10579 & https://github.com/systemd/systemd/issues/9867
|
- Also provides the serious issues systemd-resolved+DNSSEC issues,
|
||||||
|
https://github.com/systemd/systemd/issues/10579 &
|
||||||
|
https://github.com/systemd/systemd/issues/9867
|
||||||
- request for strict DoT: https://github.com/systemd/systemd/issues/10755
|
- request for strict DoT: https://github.com/systemd/systemd/issues/10755
|
||||||
- vulnerable to MITM: https://github.com/systemd/systemd/issues/9397
|
- vulnerable to MITM: https://github.com/systemd/systemd/issues/9397
|
||||||
|
@ -1,15 +1,19 @@
|
|||||||
|
<!-- @format -->
|
||||||
|
|
||||||
Systemd services. These are sorted by some kind of category into
|
Systemd services. These are sorted by some kind of category into
|
||||||
subdirectories. The sudirectories won't exist in the real
|
subdirectories. The sudirectories won't exist in the real
|
||||||
`/etc/systemd/system` unless they end `.wants` or `.d` or something similar
|
`/etc/systemd/system` unless they end `.wants` or `.d` or something similar
|
||||||
and I forget to update this README file if that happens.
|
and I forget to update this README file if that happens.
|
||||||
|
|
||||||
- reflector.service is copied from https://wiki.archlinux.org/index.php/Reflector
|
- reflector.service is copied from
|
||||||
but uses https instead of http, because there is no reason I would want
|
https://wiki.archlinux.org/index.php/Reflector but uses https instead of
|
||||||
someone to see what I download.
|
http, because there is no reason I would want someone to see what I
|
||||||
|
download.
|
||||||
|
|
||||||
## Worth reading
|
## Worth reading
|
||||||
|
|
||||||
- Waiting for network devices to have IP address (**I only use this for
|
- Waiting for network devices to have IP address (**I only use this for
|
||||||
cables**) https://wiki.freedesktop.org/www/Software/systemd/NetworkTarget/#cutthecraphowdoimakenetwork.targetworkforme
|
cables**)
|
||||||
|
https://wiki.freedesktop.org/www/Software/systemd/NetworkTarget/#cutthecraphowdoimakenetwork.targetworkforme
|
||||||
- `systemctl enable NetworkManager-wait-online.service`
|
- `systemctl enable NetworkManager-wait-online.service`
|
||||||
- `systemctl enable systemd-networkd-wait-online.service`
|
- `systemctl enable systemd-networkd-wait-online.service`
|
||||||
|
@ -1,3 +1,5 @@
|
|||||||
|
<!-- @format -->
|
||||||
|
|
||||||
# Autostart files for graphical desktop environments
|
# Autostart files for graphical desktop environments
|
||||||
|
|
||||||
This mostly caters for my family.
|
This mostly caters for my family.
|
||||||
|
@ -1,3 +1,5 @@
|
|||||||
|
<!-- @format -->
|
||||||
|
|
||||||
# Custom app menu entries
|
# Custom app menu entries
|
||||||
|
|
||||||
These can be used for either `~/.local/share/applications` or
|
These can be used for either `~/.local/share/applications` or
|
||||||
@ -25,12 +27,12 @@ so graphical desktop environments started the apps on login.
|
|||||||
## `a-*.desktop`
|
## `a-*.desktop`
|
||||||
|
|
||||||
These files are companions to my script repos `bash/usr-local-bin/*` belonging
|
These files are companions to my script repos `bash/usr-local-bin/*` belonging
|
||||||
to `/usr/local/share/applications` and are named so to
|
to `/usr/local/share/applications` and are named so to avoid masking package
|
||||||
avoid masking package manager. They have clearly different names such as using
|
manager. They have clearly different names such as using all caps.
|
||||||
all caps.
|
|
||||||
|
|
||||||
Apparently one can also have subdirectories in `/usr/local/share/applications/`
|
Apparently one can also have subdirectories in
|
||||||
and `~/.local/share/applications/` making life easier.
|
`/usr/local/share/applications/` and `~/.local/share/applications/` making
|
||||||
|
life easier.
|
||||||
|
|
||||||
## Refreshing the menus
|
## Refreshing the menus
|
||||||
|
|
||||||
|
@ -1,3 +1,5 @@
|
|||||||
|
<!-- @format -->
|
||||||
|
|
||||||
iwd network configuration lives in this directory
|
iwd network configuration lives in this directory
|
||||||
|
|
||||||
See also `../../../etc/iwd/main.conf` especially in standalone iwd without
|
See also `../../../etc/iwd/main.conf` especially in standalone iwd without
|
||||||
@ -5,11 +7,11 @@ NetworkManager.
|
|||||||
|
|
||||||
Notes:
|
Notes:
|
||||||
|
|
||||||
- `git commit`ing the same SSID with different capitalisations breaks
|
- `git commit`ing the same SSID with different capitalisations breaks Windows
|
||||||
Windows and more common macOS setups due to their filesystems being
|
and more common macOS setups due to their filesystems being
|
||||||
case-insensitive.
|
case-insensitive.
|
||||||
- `Settings.AutoConnect=true` is unnecessary as it defaults to true
|
- `Settings.AutoConnect=true` is unnecessary as it defaults to true according
|
||||||
according to `man iwd.network`.
|
to `man iwd.network`.
|
||||||
- `IPv6.Enabled=true` defauls to true being also unnecessary.
|
- `IPv6.Enabled=true` defauls to true being also unnecessary.
|
||||||
- `private-home-sample.psk` has a comment on MAC address override and sends
|
- `private-home-sample.psk` has a comment on MAC address override and sends
|
||||||
hostname with IPv4 DHCP. `private-cafe-sample.psk` always randomizes MAC
|
hostname with IPv4 DHCP. `private-cafe-sample.psk` always randomizes MAC
|
||||||
|
Loading…
Reference in New Issue
Block a user